CVE-2022-28005

Name of the Vulnerable Software and Affected Versions 3CX Phone System Management Console versions prior to 18 Update 3 FINAL

Description An issue was discovered in the 3CX Phone System Management Console, where an unauthenticated attacker could abuse improperly secured access to arbitrary files on the server, leading to cleartext credential disclosure. This is achieved through directory traversal in the /Electron/download directory, in conjunction with a path component that uses backslash characters. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITYSYSTEM on Windows installations. Additionally, versions prior to version 18, Hotfix 1 Build 18.0.3.461, are prone to an additional unauthenticated file system access to C:WindowsSystem32.

Recommendations For versions prior to 18 Update 3 FINAL, update to version 18 Update 3 FINAL or later to resolve the issue. As a temporary workaround, consider restricting access to the /Electron/download directory to minimize the risk of exploitation. Restrict access to the C:WindowsSystem32 directory to prevent additional unauthenticated file system access.