On July 15, 2022, Palo Alto Networks published a blog “Digium Phones Under Attack: Insight Into the Web Shell Implant” warning of high volume of malicious IP traffic targeting “Sangoma PBX” phone systems. The blog post references the exploit CVE-2021-45461 that was originally reported on Dec 2021 over 6 months ago.
Sangoma is a leading, global Communications as a Service (CaaS) provider and is the maintainer of FreePBX PBX/UC system that is released as open source as well as a commercial product, both supported by Sangoma.
The exploit mentioned in the above blog post has been patched and secured by the Sangoma engineering team on Dec 22 2021, days after the initial CVE was reported and the customer notice was posted by Sangoma on its FreePBX documentation site as per Sangoma security policy. Furthermore, customers that enabled automatic security updates would have been patched without the need for any manual user intervention.
The blog post and the CVE mentioned is only applicable to the unpatched and unsecured FreePBX/PBXact platforms and is NOT applicable to any other Sangoma product or service or Sangoma hardware phones products such as S,D,P series of phones. This includes the formerly branded Digium phones that work in conjunction with Sangoma PBX/UCaaS products.
Sangoma FreePBX/PBXact UCaaS cloud services are always up to date and patched for CVEs within days of notice. We encourage our customers and partners to diligently keep their FreePBX/PBXact UC systems up to date with published security patches in order to avoid being hacked.
Lastly, the blog post mentioned a 3rd party open source project called Elastix that is not affiliated with Sangoma but made use of open source components of the FreePBX platform. Sangoma encourages anyone still running Elastix to migrate to the latest version of Sangoma supported FreePBX using our easy to use migration tools or contact Sangoma support for further options.
Sangoma takes security very seriously and is transparent with our customers and partners on any reported or detected security vulnerabilities, furthermore one can find the latest FreePBX security information on the FreePBX wiki.