It does unless you tell it not to (or don’t activate the firewall). I think this is a very important data point that people need to keep in mind. You cannot control the choices of the individual users. In the other thread people openly admit the had the admin GUI exposed to the Internet in some unsafe form.
It really doesn’t matter how many firewalls are in front of the system if someone went in and exposes the system GUI access in all the firewalls. Unfortunately we can’t write modules to stop that.
Yes there was a RCE in the code, honestly there probably is more that haven’t been found yet, but at the same time the human factor (i.e. people turning off or having poorly configured security) is an outside factor that Sangoma can’t account for.