CVE-2019-19006

CISA KEV

Published February 3, 2026 · Updated April 3, 2026

high

What This Means

## CVE-2019-19006: FreePBX Authentication Bypass Sangoma FreePBX contains an authentication bypass flaw that allows attackers to access the admin interface without valid credentials, gaining control over PBX configuration and call routing. An unauthenticated remote attacker can exploit this to modify system settings, intercept calls, or create unauthorized user accounts. Patch FreePBX immediately by applying security updates from Sangoma; if patching is delayed, restrict network access to the admin panel using firewall rules and VPN enforcement.

Official Description+

Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.

Affected Products

Vendor	Product
Sangoma	FreePBX

Patch Status

Patch by 2026-02-24

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2019-19006.

Related Coverage

Vvulnerability

CVE-2019-19006: Sangoma FreePBX Authentication Bypass Grants Unauthenticated Admin Access

CVE-2019-19006 is an improper authentication vulnerability in Sangoma FreePBX that allows unauthenticated remote attackers to bypass password controls and gain full administrative access to the PBX management interface. Successful exploitation enables toll fraud, call interception, credential theft, and persistent account creation. CISA has added this CVE to the Known Exploited Vulnerabilities catalog with a federal patch deadline of February 24, 2026.

CISA KEV·59d ago·3 min read