Sangoma was recently made aware of a significant security vulnerability affecting the administrator web interface for current versions of FreePBX and PBXact. Sangoma has published updated FreePBX and PBXact modules (for the “framework” module) to our mirror servers, and they should be available to you now. Many modern FreePBX systems are set to automatically apply security updates, but we STRONGLY encourage you to check all of your FreePBX systems to make sure that they have updated to the new version. To do this, please go to Admin -> Module Admin and make sure the “FreePBX Framework” is greater than or equal to one of the following versions:
For FreePBX/PBXact 13: v22.214.171.124
For FreePBX/PBXact 14: v126.96.36.199
For FreePBX/PBXact 15: v188.8.131.52
You may also check the version of the modules from the Linux command-line on your FreePBX/PBXact system by running “fwconsole ma list” and looking at the version of the “framework” module.
While keeping your system up to date is critical in preventing security issues, we also encourage all FreePBX and PBXAct users to follow strong security practices, such as limiting exposure of your FreePBX or PBXact Admin GUI whenever possible.
We would like to publicly thank those who reported this issue to us in a responsible manner. This responsible disclosure allowed us to prepare updates and make them available before public disclosure of the vulnerability, so that FreePBX users can secure their systems.
More details on the vulnerability are available on the FreePBX wiki at https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass