Sangoma FreePBX Remote Admin Authentication Bypass (CVE-2019-19006)
CVE-2019-19006 is an improper authentication vulnerability (CWE-287) in Sangoma FreePBX that allows remote unauthenticated attackers to bypass administrative authentication controls. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation grants attackers full administrative access to the FreePBX VoIP management interface, enabling call interception, configuration tampering, toll fraud, and potential lateral movement into the broader network.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Sangoma
- Product
- FreePBX
Weakness (CWE)
Timeline
- Disclosed
- February 3, 2026
CVSS
What is CVE-2019-19006 Sangoma FreePBX Remote Admin Authentication Bypass (CVE-2019-19006)?
Sangoma FreePBX Remote Admin Authentication Bypass (CVE-2019-19006) (CVE-2019-19006) maps to the Initial Access and Privilege Escalation and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Sangoma FreePBX Remote Admin Authentication Bypass (CVE-2019-19006), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureDiagnostics, Web Application Firewall logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let FreePBXAdminPaths = dynamic(['/admin/config.php', '/admin/ajax.php', '/admin/modules/', '/admin/page.php']);
let SuspiciousStatusCodes = dynamic([200, 302]);
union CommonSecurityLog, W3CIISLog, AzureDiagnostics
| where TimeGenerated >= ago(24h)
| where isnotempty(RequestURL) or isnotempty(csUriStem)
| extend UrlPath = coalesce(RequestURL, csUriStem, '')
| where UrlPath has_any (FreePBXAdminPaths)
| extend StatusCodeInt = toint(coalesce(tostring(EventOutcome), tostring(scStatus), ''))
| where StatusCodeInt in (SuspiciousStatusCodes)
| extend SourceIPAddr = coalesce(SourceIP, cIp, CallerIpAddress)
| extend UserAgent = coalesce(RequestClientApplication, csUserAgent, '')
| summarize
RequestCount = count(),
DistinctPaths = make_set(UrlPath, 50),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIPAddr, UserAgent, bin(TimeGenerated, 5m)
| where RequestCount >= 1
| extend AlertSeverity = iff(RequestCount > 10, 'High', 'Medium')
| project TimeGenerated, SourceIPAddr, UserAgent, RequestCount, DistinctPaths, FirstSeen, LastSeen, AlertSeverityDetects HTTP requests targeting FreePBX administrative endpoints that may indicate authentication bypass exploitation. Looks for successful responses to admin panel paths from potentially unauthenticated sessions.
Data Sources
Required Tables
False Positives
- Legitimate administrators accessing the FreePBX admin panel from known IP ranges
- Automated health monitoring tools probing admin endpoints
- Security scanners or vulnerability assessment tools in authorized engagements
- Load balancers or reverse proxies forwarding legitimate admin traffic
Sigma rule & cross-platform mapping
The detection logic for Sangoma FreePBX Remote Admin Authentication Bypass (CVE-2019-19006) (CVE-2019-19006) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2019-19006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated FreePBX Admin Panel Access Probe
Expected signal: Web server access log entry showing GET /admin/config.php returning HTTP 200 with no prior authenticated session POST to login endpoint. No Set-Cookie with valid session token in prior requests.
- Test 2FreePBX Admin AJAX Endpoint Enumeration Without Auth
Expected signal: Multiple HTTP GET requests to /admin/ajax.php with varying query parameters from the same source IP within a short time window. Response codes of 200 indicate the endpoints are reachable without authentication.
- Test 3FreePBX Unauthorized Admin Account Creation Simulation
Expected signal: HTTP POST to /admin/config.php with user creation parameters visible in request body. If exploitation succeeds, FreePBX audit logs should show a new user account creation without a corresponding prior admin login. MySQL binary logs capture INSERT into user tables.
- Test 4Network Scan for Exposed FreePBX Admin Interfaces
Expected signal: Network scan traffic visible in IDS/IPS logs and firewall flow logs. HTTP probes to /admin/ path generate web server access log entries. Port scan signatures may trigger on receiving host if endpoint detection is installed.
Unlock Pro Content
Get the full detection package for CVE-2019-19006 including response playbook, investigation guide, and atomic red team tests.