Why has 3CX issued a warning to its customers?

3CX has warned customers to deactivate SQL Database integrations due to a potential vulnerability in versions 18 and 20 of their VOIP software, advising as a precaution to disable integrations with MongoDB, MsSQL, MySQL, and PostgreSQL databases.

3CX is a software-based private branch exchange (PBX) platform, offering Voice over Internet Protocol (VoIP) and other unified communications services.

Are there any specific details about the security issue in 3CX's advisory?

The security advisory from 3CX does not provide specific details about the nature of the security issue affecting its VOIP software.

What did Pierre Jourdan, CISO of 3CX, say about the vulnerability?

Pierre Jourdan, CISO of 3CX, noted that the impact of the vulnerability depends on the system's configuration and clarified that not all Web-Based CRM integrations are affected.

What previous incident is related to this warning from 3CX?

This warning from 3CX follows a March 2023 incident where their desktop client was compromised in a supply chain attack, leading to malware distribution.

Incident

3CX VoIP warns of DB integration vulnerability, asks customers to disable DB integrations

published: Dec. 15, 2023

Take action: The advisory is very vague, and it's not clear what the vulnerability in 3CX related to DB integrations is. It's worth thinking about it since a VoIP service is very probably exposed to the internet. Per usual, if you are one of the companies using 3CX servers and have integrated with a database, lock down the management interface from the internet and consider disabling the DB integration. And start calling your 3CX contact to get more information.

Learn More

VoIP company 3CX has issued a warning to its customers, urging them to deactivate SQL Database integrations due to a potential vulnerability. 3CX is a software-based private branch exchange (PBX) platform for Voice over Internet Protocol (VoIP) and other unified communications services.

Unfortunately, specific details about the security issue are not provided. The advisory, which targets versions 18 and 20 of 3CX's VOIP software, recommends disabling integrations with MongoDB, MsSQL, MySQL, and PostgreSQL databases as a precaution.

Pierre Jourdan, 3CX's CISO, noted that the vulnerability's impact depends on the configuration. Per the information, all Web-Based CRM integrations are not affected.

This warning follows a March 2023 incident where 3CX's desktop client was compromised in a supply chain attack, leading to malware distribution.

3CX VoIP warns of DB integration vulnerability, asks customers to disable DB integrations