CVE-2022-28005
published 2022-05-06CVE-2022-28005: An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.59%
93.0th percentile
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3cx | 3cx | < 18.0.3.461 | 18.0.3.461 |
| 3cx | 3cx | <= 18.0.3.450 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
3CX Phone System Management Console missing encryption (EUVD-2022-32491)
vuldb·2026-05-16·CVSS 9.8
CVE-2022-28005 [CRITICAL] 3CX Phone System Management Console missing encryption (EUVD-2022-32491)
A vulnerability identified as problematic has been detected in 3CX Phone System Management Console. This affects an unknown part. This manipulation causes missing encryption of sensitive data.
This vulnerability is handled as CVE-2022-28005. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
GHSA-q8jh-8mqf-vwq9: 3CX before 18 Hotfix 1 build 18
ghsa_unreviewed·2023-05-02·CVSS 9.8
CVE-2022-48483 [CRITICAL] CWE-22 GHSA-q8jh-8mqf-vwq9: 3CX before 18 Hotfix 1 build 18
3CX before 18 Hotfix 1 build 18.0.3.461 on Windows allows unauthenticated remote attackers to read %WINDIR%\system32 files via /Electron/download directory traversal in conjunction with a path component that has a drive letter and uses backslash characters. NOTE: this issue exists because of an incomplete fix for CVE-2022-28005.
GHSA
GHSA-m9wh-p6h4-rmvw: An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL
ghsa_unreviewed·2022-05-07
CVE-2022-28005 [CRITICAL] CWE-522 GHSA-m9wh-p6h4-rmvw: An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server, leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. Versions prior to version 18, Hotfix 1 Build 18.0.3.461 March 2022, are prone to an additional unauthenticated file system access to C:\Windows\System32.
VulnCheck
3cx 3cx Insufficiently Protected Credentials
vulncheck·2022·CVSS 9.8
CVE-2022-28005 [CRITICAL] 3cx 3cx Insufficiently Protected Credentials
3cx 3cx Insufficiently Protected Credentials
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482.
Affected: 3cx 3cx
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remed
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://medium.com/%40frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88https://www.3cx.com/blog/change-log/phone-system-change-log/https://www.3cx.com/blog/releases/v18-security-hotfix/https://www.3cx.com/blog/releases/v18-update-3-final/https://medium.com/%40frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88https://www.3cx.com/blog/change-log/phone-system-change-log/https://www.3cx.com/blog/releases/v18-security-hotfix/https://www.3cx.com/blog/releases/v18-update-3-final/
2022-05-06
Published
Exploited in the wild