Well this is an interesting data point. It means that most likely one of the following happened:
-
The RCE code was introduced within the last 4 years. Which would be interesting since all recent RCE’s have been related to way older code.
-
The RCE code exists in older versions but may not be exposed as easily or at all in PHP5.x but moving to PHP7.x and higher exposes the RCE. There were big changes in how PHP handle things between PHP5.x and PHP7.x including serialization. Those changes could have exposed the RCE or a path to the RCE if they were not accounted for.
We really won’t know until there is more details provided by Sangoma about this RCE and what caused it. However, I wouldn’t go around feeling safe just because you’re on an older version of FreePBX. Don’t confuse an accident of environment as secure code.
Either way, it really doesn’t matter if it was option 1 or option 2 this goes back to the same conversation we always end up in…the QA/QC of this project.