CVE-2023-49954: SQL Injection Flaw in 3CX CRM Integration

A critical security flaw has been discovered in 3CX’s VoIP software, prompting the company to urge customers to disable their CRM integrations immediately. While details remain under wraps, the potential for a data breach looms large.

A malicious actor, armed with a whisper of code, could potentially inject themselves into your customer database. Names, emails, sensitive information – all laid bare through a silent scream, an exploit hidden within the very tools meant to streamline your business.

The vulnerability, dubbed CVE-2023-49954, resides in the way 3CX handles user input in its CRM integration templates. These templates, used for connecting to various databases, contain placeholders like ” ([FirstName],[SearchText],[Email])”. Unfortunately, these placeholders remain unsanitized, opening the door for malicious actors to inject their code into the database queries.

In a blog, the researcher shows the details of how to exploit the CVE-2023-49954 flaw.

If you’re using an SQL Database integration it’s subject potentially to a vulnerability – depending upon the configuration,” 3CX’s chief information security officer Pierre Jourdan said. “As a precautionary measure, and whilst we work on a fix, please follow the instructions below to disable it.

Versions 18 and 20 of 3CX’s software are susceptible, potentially affecting hundreds of thousands of businesses. While 3CX assures us that only 0.25% of their user base utilizes CRM integrations, the sheer number of potential victims sends shivers down our spine.

A fix is on the way, but until then, vigilance is key. 3CX urges users to disable their CRM integrations immediately, setting the CRM solution to “None” in their settings.