CVE-2023-29059
published 2023-03-30CVE-2023-29059: 3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX…
PriorityP278high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.37%
90.1th percentile
3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3cx | 3cx | — | — |
| 3cx | 3cx | — | — |
| 3cx | 3cx | — | — |
| 3cx | 3cx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Scan for the malicious ffmpeg.dll hash on the filesystem; the 3cxInjectionHunter script crawls the filesystem looking for instances of the infected ffmpeg.dll and reports a match to the malicious hash ↗
- →Check local DNS cache for matches against known malicious C2 domains associated with this campaign using the 3CXLocalDNSCacheHunter script ↗
- →The second 3CXDesktopApp.exe inside the app-18.12.407 subfolder (not the root install path) is the one that sideloads the malicious ffmpeg.dll — differentiate by path and file size (142MB vs 541KB) ↗
- →Block or alert on all network connections to the listed actor-controlled C2 domains (akamaicontainer[.]com, akamaitechcloudservices[.]com, azuredeploystore[.]com, etc.) via web filtering or DNS sinkholes ↗
- →Use Fortinet AV signatures W64/Agent.CFM!tr, OSX/Agent.CN!tr, and Riskware/Sphone_XC3 to detect the trojanized installer and DLL components ↗
- →Check Point detections: Trojan-Downloader.Win.SmoothOperator and Trojan.Wins.SmoothOperator cover this threat in Threat Emulation and Harmony Endpoint ↗
- ·The GitHub repository hosting the ICO files with encrypted C2 strings has been taken down; second-stage payload delivery via this channel is no longer active for new infections ↗
- ·Only the Electron framework versions of the 3CX DesktopApp are affected (Windows 18.12.407 and 18.12.416; macOS 18.11.1213, 18.12.402, 18.12.407, and 18.12.416); Linux, Android, iOS, Chrome, PWA, 3CXHosted, and StartUP customers are not affected ↗
- ·The info stealer (third-stage payload) was only deployed in later stages against selected targets; not all compromised systems received the info stealer — it was likely used to identify interesting targets for the operators ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m2q7-9c76-qc45: 3CX DesktopApp through 18
ghsa_unreviewed·2023-03-30
CVE-2023-29059 [HIGH] GHSA-m2q7-9c76-qc45: 3CX DesktopApp through 18
3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.
VulnCheck
3CX DesktopApp through 18.12.416 Embedded Malicious Code
vulncheck·2023·CVSS 7.8
CVE-2023-29059 [HIGH] 3CX DesktopApp through 18.12.416 Embedded Malicious Code
3CX DesktopApp through 18.12.416 Embedded Malicious Code
3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application.
Affected: 3cx 3cx
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/; https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/; https://www.cve.
No detection rules found.
No public exploits indexed.
Qualys
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
blogs_qualys·2023-12-19
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
## Table of Contents
2023 Statistics
2023 Vulnerability Threat Landscape
Top Vulnerability Types
Key Insights
Top MITRE ATT&CK Tactics & Techniques
Most Active Threats
Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
97 high-risk vulnerabilities, like
Qualys
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
blogs_qualys·2023-12-19
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
#### Table of Contents
- 2023 Statistics
- 2023 Vulnerability Threat Landscape
- Top Vulnerability Types
- Key Insights
- Top MITRE ATT&CK Tactics & Techniques
- Most Active Threats
- Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
- Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- 97 high-risk vulnerab
Qualys
Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
#### Table of Contents
- 7 Key Insights by the Qualys Threat Research Unit
- A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
- Optimizing Risk Management with Qualys VMDR TruRiskDashboard
- Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
- Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights
Qualys
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
## Table of Contents
7 Key Insights by the Qualys Threat Research Unit
A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
Optimizing Risk Management with Qualys VMDR TruRiskDashboard
Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights by the
Fortinet
Are Internet Macros Dead or Alive? | FortiGuard labs
blogs_fortinet·2023-04-12
Are Internet Macros Dead or Alive? | FortiGuard labs
FORTIGUARD LABS THREAT RESEARCH
Are Internet Macros Dead or Alive?
By Hossein Jazi | April 12, 2023
Affected platforms: Windows
Impacted parties: Windows Users
Impact: Potential to deploy additional malware for additional purposes
Severity level: Medium
In early February of 2022, Microsoft announced that Internet Macros would be blocked by default to improve the security of Microsoft Office. According to their blog published in late Feb 2023, this change began rolling out in some update channels in April 2022. Other channels followed in July and October 2022, with the final rollout in January 2023.
Office uses a specific algorithm to determine whether to run macros in files from the Internet. The process starts by checking the file attribute. If it has a Mark of the Web (MOTW) attribu
Qualys
3CXDesktopApp Backdoored in a Suspected Lazarus Campaign
blogs_qualys·2023-04-04·CVSS 7.8
[HIGH] 3CXDesktopApp Backdoored in a Suspected Lazarus Campaign
## Table of Contents
Introduction
Executive Summary
Technical Summary
Technical Analysis of Infection Stages
Info Stealer Analysis
Qualys Detection & Protection
Conclusion
MITRE TID Mapping
IOCS
Contributors
## Introduction
The attack involved a compromised version of the 3CX VoIP desktop client, which was used to target 3CX’s customers. The compromised 3CX application is a private automatic branch exchange (PABX) software and is available for Windows, macOS, Linux, Android, IOS and Chrome. Currently, there are reports of attacks for both Windows and macOS.
The Qualys Threat Research Unit (TRU) is tracking a supply chain compromise in a popular VOIP desktop client by 3CX that is attributed to DPRK nation-state adversaries . The attack was reported in late March 2023 and is an
Qualys
3CXDesktopApp Backdoored in a Suspected Lazarus Campaign | Qualys
blogs_qualys·2023-04-04·CVSS 7.8
[HIGH] 3CXDesktopApp Backdoored in a Suspected Lazarus Campaign | Qualys
#### Table of Contents
- Introduction
- Executive Summary
- Technical Summary
- Technical Analysis of Infection Stages
- Info Stealer Analysis
- Qualys Detection & Protection
- Conclusion
- MITRE TID Mapping
- IOCS
- Contributors
## Introduction
The attack involved a compromised version of the 3CX VoIP desktop client, which was used to target 3CX’s customers. The compromised 3CX application is a private automatic branch exchange (PABX) software and is available for Windows, macOS, Linux, Android, IOS and Chrome. Currently, there are reports of attacks for both Windows and macOS.
The Qualys Threat Research Unit (TRU) is tracking a supply chain compromise in a popular VOIP desktop client by 3CX that is attributed to DPRK nation-state adversaries. The attack was reported in late March 202
Checkpoint
3rd April – Threat Intelligence Report
blogs_checkpoint·2023-04-03·CVSS 7.8
CVE-2023-29059 [HIGH] 3rd April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 3rd April, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company , were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loade
Fortinet
3CX Desktop App Compromised (CVE-2023-29059) | FortiGuard Labs
blogs_fortinet·2023-03-30·CVSS 7.8
CVE-2023-29059 [HIGH] 3CX Desktop App Compromised (CVE-2023-29059) | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
3CX Desktop App Compromised (CVE-2023-29059)
By FortiGuard Labs | March 30, 2023
This is a developing story. Please check back for the latest updates from FortiGuard Labs. For a report of this event, please visit our Threat Signal Reports page.
On March 29, a number of reports surfaced that a legitimate signed file from VoIP/IP PBX solutions provider 3CX (3CXDesktop App) had been trojanized due to a code-level compromise. This is the latest high-profile supply chain attack, beginning with SolarWinds and Kaseya a few years ago. This issue has been assigned CVE-2023-29059.
3CXDesktop App is a multi-platform softphone application for desktops (Linux, MacOS, and Windows). The 3CXDesktop App allows users to interact via chat, messaging, video, and voice. Init
Tenable
3CX Desktop App for Windows and macOS Reportedly Compromised in Supply Chain Attack
blogs_tenable·2023-03-30
3CX Desktop App for Windows and macOS Reportedly Compromised in Supply Chain Attack
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
blogs_fortinet·2022-03-30
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
FORTIGUARD LABS THREAT RESEARCH
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
By Rotem Sde-Or and Eliran Voronovitch | March 30, 2022
During the past month, FortiEDR detected a campaign by Deep Panda, a Chinese APT group. The group exploited the infamous Log4Shell vulnerability in VMware Horizon servers. The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates. The victims belong to the financial, academic, cosmetics, and travel industries.
Following exploitation, Deep Panda deployed a backdoor on the infected machines. Following forensic leads from the backdoor led us to discover a novel kernel rootkit signed with a stolen digital certificate. We found that the sam
Fortinet
The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware | FortiGuard Labs
blogs_fortinet·2022-02-25
The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware
By Rotem Sde-Or | February 25, 2022
A threat report published by Symantec in October 2021 recently caught our attention. It discusses an unknown threat actor conducting an espionage campaign in Southeast Asia using a new custom malware arsenal. What piqued our curiosity most was the mention of a DLL payload loaded from the registry that had yet to be discovered.
The reason the module was difficult to find became apparent after analyzing its loader. The module is stored as a compressed blob with a custom header in the registry. It is never written to disk, rendering it unlikely to appear in datasets like VirusTotal.
And so, we embarked on a journey to hunt for the lost modul
https://cwe.mitre.org/data/definitions/506.htmlhttps://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/https://www.3cx.com/blog/news/desktopapp-security-alert/https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromisedhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threatshttps://cwe.mitre.org/data/definitions/506.htmlhttps://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/https://www.3cx.com/blog/news/desktopapp-security-alert/https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromisedhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
2023-03-30
Published
Exploited in the wild