Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.
AnalysisAI
Authentication bypass in FreePBX User Control Panel (UCP) versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6 allows remote unauthenticated attackers to access UCP accounts using hard-coded initial template credentials when administrators fail to rotate them after enabling the feature. With a CVSS 4.0 score of 9.3 and CWE-798 (Use of Hard-coded Credentials), the flaw exposes high-confidentiality and high-integrity impact to the affected component, though no public exploit identified at time of analysis.
Technical ContextAI
FreePBX is a widely deployed open-source GUI front-end for the Asterisk VoIP/PBX engine, used to manage telephony, voicemail, IVR, and user features. The vulnerable component is the User Control Panel (UCP), the end-user web portal allowing users to manage their voicemail, call recordings, contacts, and call routing. CWE-798 (Use of Hard-coded Credentials) is the root cause: the initial UCP generic template ships with fixed credentials that are configured during ACP setup but persist as a valid login path until an administrator explicitly rotates or removes them. Because the credentials are static and known (or discoverable via source code), any party reaching the UCP login can authenticate as the template user. The affected CPE is cpe:2.3:a:freepbx:security-reporting:*, corresponding to FreePBX's security-reporting module that issued the advisory.
RemediationAI
Vendor-released patches are available in FreePBX 16.0.45 and 17.0.7, and operators should upgrade to one of these versions immediately following the GitHub Security Advisory at https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx. Administrators on 15.x should plan migration to a fixed branch since no 15.x fix is named in the advisory. As a workaround pending the upgrade, administrators should disable UCP via the FreePBX Module Admin (which removes the end-user portal feature for all users), or, if UCP must remain enabled, immediately rotate or delete the initial UCP generic template credentials provisioned during ACP setup and audit existing UCP user accounts for unauthorized additions; additionally, restrict UCP web access to trusted internal networks via reverse-proxy ACLs or firewall rules, accepting that this prevents legitimate remote user portal access until the patch is applied.
More in Security Reporting
View allSame weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33295