CVE-2019-9972

Name of the Vulnerable Software and Affected Versions 3CX Phone System versions 16.0.0.1570

Description The issue allows an authenticated attacker to execute arbitrary commands with the phonesystem user privileges due to the mishandling of a specific input sequence, namely " followed by ".

Recommendations For version 16.0.0.1570, consider restricting access to the PhoneSystem Terminal to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the privileges of the phonesystem user to reduce potential damage from arbitrary command execution.