Skip to main content

Sangoma Switchvox CVE-2026-45362

| EUVDEUVD-2026-29354 LOW
Cleartext Storage of Sensitive Information (CWE-312)
2026-05-12 mitre GHSA-cxjw-p2qh-7hv8
3.2
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.2 LOW
AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 12, 2026 - 02:16 EUVD
Analysis Generated
May 12, 2026 - 01:30 vuln.today
CVE Published
May 12, 2026 - 00:40 nvd
LOW 3.2

DescriptionCVE.org

Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.

AnalysisAI

Sangoma Switchvox before version 8.4 stores SIP authentication credentials in cleartext within backup files, allowing local attackers with physical or filesystem access to recover credentials with low complexity. This information disclosure vulnerability affects systems using the default backup functionality and has a publicly documented proof-of-concept exploit available on GitHub.

Technical ContextAI

Sangoma Switchvox is a VoIP PBX system that uses the Session Initiation Protocol (SIP) for call signaling and authentication. The vulnerability stems from improper credential handling during backup file generation - specifically, the backup archive (.svb files based on POC repository naming) retains SIP authentication credentials in plaintext format rather than encrypting or redacting them. CWE-312 (Cleartext Storage of Sensitive Information) classifies this root cause: sensitive data (authentication credentials) is persisted to storage media without encryption. An attacker with access to backup files can trivially extract these credentials and impersonate legitimate SIP endpoints or authenticate as system users.

RemediationAI

Vendor-released patch: Upgrade Sangoma Switchvox to version 8.4 or later, which remediates cleartext credential storage in backups. For organizations unable to immediately upgrade, implement compensating controls: restrict filesystem access to backup directories using operating system-level permissions (limit to backup service account only, remove world-readable bits); encrypt backup files using AES-256 or equivalent at rest using the host OS or backup software encryption (trade-off: increases CPU overhead during backup/restore, requires secure key management); disable automated backups temporarily and perform manual encrypted backups to isolated, air-gapped storage; regularly audit backup file permissions and access logs using tools like auditd (Linux) or Windows File Auditing to detect unauthorized access. If backups are transported over the network, enforce TLS 1.2+ for all transfers. For existing backups created before patching, regenerate them after upgrading to avoid lingering exposure. See Sangoma advisory at https://github.com/sangoma/security-switchvox/security/advisories/GHSA-mfm3-g35x-c9w8 for detailed patching instructions.

Share

CVE-2026-45362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy