Sangoma Switchvox CVE-2026-9587
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable authenticated endpoint (PR:L) with low complexity yields high confidentiality file disclosure only; no integrity or availability impact and no scope change.
Primary rating from Vendor (SRA).
CVSS VectorVendor: SRA
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authenticated local file inclusion vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The play_file functionality accepts user-controlled input through the sound_path parameter and fails to properly validate file paths before accessing the underlying filesystem. By supplying absolute paths, an authenticated attacker can retrieve files outside the intended directory scope.
AnalysisAI
Arbitrary file read in Sangoma Switchvox SMB Edition 8.3 (build 104997) allows an authenticated user to disclose sensitive files anywhere on the appliance filesystem. The play_file functionality trusts the user-controlled sound_path parameter and fails to validate paths, so supplying an absolute path escapes the intended sound directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session on Sangoma Switchvox SMB Edition 8.3 (CVSS PR:L confirms a low-privileged account is needed) and network access to the web interface exposing the play_file functionality. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) is internally consistent with the description: network-reachable, low complexity, requiring low privileges (PR:L, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any low-privileged Switchvox account (or one obtained via phishing/credential reuse) sends a crafted request to the play_file functionality setting sound_path to an absolute path such as /etc/passwd or an application configuration file. The server reads and returns the file contents, letting the attacker harvest credentials, keys, or configuration to enable further compromise. … |
| Remediation | Patch available per vendor advisory: apply the fix described in Sangoma's GitHub security advisory GHSA-mhp4-x83p-phh2 (https://github.com/sangoma/security-switchvox/security/advisories/GHSA-mhp4-x83p-phh2); no exact fixed build number is given in the provided data, so confirm the patched version directly with Sangoma before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Switchvox SMB Edition 8.3 instances and disable unnecessary administrator and user accounts to reduce attack surface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Switchvox Smb Edition
View allUnauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrar
Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attack
Stored cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an authenticated user inject persis
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today