FreePBX left sample login credentials baked into its setup templates — and those credentials are now a publicly filed CVE that lets anyone walk into the phone system portals of hundreds of thousands of businesses without a password.
CVE-2026-46376: Hard-Coded UCP Credentials Allow Unauthenticated FreePBX Portal Access
CVE-2026-46376 (CVSS 9.1, Critical) is a hard-coded credential vulnerability in FreePBX’s User Control Panel (UCP). Sample credentials embedded in the generic UCP template during the initial setup process are never removed from the system, leaving them active as a permanent backdoor into user portals. Any unauthenticated attacker who knows the default credentials — which are now publicly documented through the CVE filing — can bypass authentication entirely.
Patches are available: FreePBX 16 should be updated to version 16.0.45 or later; FreePBX 17 should be updated to version 17.0.7 or later. No active exploitation was reported at the time of disclosure, but hard-coded credential vulnerabilities historically attract rapid exploitation following CVE publication, because no technical barrier separates CVE disclosure from immediate weaponization.
Why Hard-Coded Credentials Require No Attack Development
Hard-coded credential vulnerabilities occupy a unique position in the severity spectrum: they require no reverse engineering, no brute force, and no social engineering. An attacker uses the published default credentials, which become publicly available the moment a CVE is filed. There is no technical challenge to overcome — the vulnerability description itself provides everything needed for exploitation.
This is distinct from vulnerabilities that require exploit development, where a window typically exists between CVE publication and weaponization. For hard-coded credentials, the gap between disclosure and exploitability is zero. The only factor separating vulnerable systems from compromised ones is whether an attacker has attempted access.
The FreePBX Attack Surface: Hundreds of Thousands of Business Phone Systems
FreePBX is one of the most widely deployed open-source VoIP and IP PBX platforms globally, powering telephone systems for hundreds of thousands of small and medium businesses, call centers, educational institutions, and government offices. It operates as infrastructure that IT teams configure during setup and rarely revisit — making it a category of system where unpatched deployments are common long after patches are issued.
Toll Fraud: The Immediate Monetization Path for FreePBX Compromise
Successful exploitation of CVE-2026-46376 enables unauthorized account access, exposure of call detail records and voice communications metadata, and manipulation of user routing and interactive voice response (IVR) configurations. The most immediately damaging consequence, however, is toll fraud: an attacker with access to a compromised PBX can initiate international calls charged to the victim organization’s account. Toll fraud via compromised VoIP infrastructure is a well-established criminal business representing billions in annual losses globally.
FreePBX systems are frequently connected to SIP trunking providers that authorize call charges against the subscribing organization. A few hours of unauthorized international call traffic can generate thousands of dollars in charges before the fraud is detected. VoIP systems sit at the intersection of corporate communications infrastructure and direct financial exposure, making them disproportionately valuable targets relative to the effort required to exploit them when default credentials are available.
Auditing FreePBX Deployments Across Affected Versions
Organizations running FreePBX 16 or 17 should verify their current version and apply available patches. Deployments where the UCP setup process was completed without subsequent credential rotation are particularly at risk. The scope of FreePBX’s global deployment — across SMB, education, and government sectors — means the exposed attack surface is large relative to the historical patching behavior of the organizations running it.
