EXECUTIVE SUMMARY:
CVE-2026-46376 with a CVSS score of 9.1 is a critical vulnerability in the open-source IP PBX platform FreePBX, affecting the User Control Panel (UCP) interface due to hard-coded credentials in the userman module. The issue impacts FreePBX versions before 16.0.45 and 17.0.7, allowing unauthenticated attackers to access user portals via the UCP interface. The vulnerability stems from the use of hard-coded sample credentials embedded in the UCP generic template during the setup process, which can remain active if administrators do not change the default credentials after initialization. Attackers do not need prior access, privileges, or user interaction to exploit this issue, making it highly dangerous in exposed environments. Exploiting the vulnerability grants unauthorized access to user accounts via the UCP interface and potential manipulation of user settings and configurations. If exploited, this vulnerability can have a high impact on confidentiality and integrity, while not directly affecting system availability. The attack vector is network-based and low-complexity, requiring no authentication, and exploitation can occur in systems running outdated versions where administrators have not properly modified default credentials during initial configuration.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46376 with a CVSS score of 9.1 is a critical vulnerability in the open-source IP PBX platform FreePBX, affecting the User Control Panel (UCP) interface due to hard-coded credentials in the userman module. The issue impacts FreePBX versions before 16.0.45 and 17.0.7, allowing unauthenticated attackers to access user portals via the UCP interface. The vulnerability stems from the use of hard-coded sample credentials embedded in the UCP generic template during the setup process, which can remain active if administrators do not change the default credentials after initialization. Attackers do not need prior access, privileges, or user interaction to exploit this issue, making it highly dangerous in exposed environments. Exploiting the vulnerability grants unauthorized access to user accounts via the UCP interface and potential manipulation of user settings and configurations. If exploited, this vulnerability can have a high impact on confidentiality and integrity, while not directly affecting system availability. The attack vector is network-based and low-complexity, requiring no authentication, and exploitation can occur in systems running outdated versions where administrators have not properly modified default credentials during initial configuration.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/freepbx-vulnerability/