cbcvebase.
CVE-2019-19492
published 2019-12-02

CVE-2019-19492: FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
28.95%
97.9th percentile
FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.

Affected

1 ranges
VendorProductVersion rangeFixed in
freeswitchfreeswitch1.6.10 – 1.10.1

Detection & IOCsextracted from sources · hover to see the quote

port8021
commandsystem
pathevent_socket.conf.xml
  • Monitor for inbound TCP connections to port 8021, which is the default FreeSWITCH Event Socket listener; unexpected external or lateral connections to this port may indicate exploitation attempts.
  • Alert on use of the FreeSWITCH `system` API command over the Event Socket interface, which is the mechanism used to achieve OS command execution in this exploit.
  • Audit event_socket.conf.xml for the presence of a default/unchanged password; authentication with the default credential is a strong indicator of exploitation or pre-exploitation reconnaissance.
  • ·The Event Socket service is enabled by default, meaning all unpatched FreeSWITCH installs in the affected version range (1.6.10–1.10.1) are exposed without any additional attacker configuration required.
  • ·The CISA advisory notes a separate but related hard-coded credential issue in the Sensormatic victor SIP component (also assigned CVE-2019-19492); this is a local-only, low-complexity vulnerability not exploitable remotely.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.