Article Details
Scrape Timestamp (UTC): 2023-12-15 17:33:15.795
Original Article Text
Click to Toggle View
3CX warns customers to disable SQL database integrations. VoIP communications company 3CX warned customers today to disable SQL Database integrations because of risks posed by what it describes as a potential vulnerability. Although the security advisory released today lacks any specific information regarding the issue, it advises customers to take preventive measures by disabling their MongoDB, MsSQL, MySQL, and PostgreSQL database integrations. "If you're using an SQL Database integration it's subject potentially to a vulnerability - depending upon the configuration," 3CX's chief information security officer Pierre Jourdan said. "As a precautionary measure, and whilst we work on a fix, please follow the instructions below to disable it." Jourdan explained that the security issue impacts only versions 18 and 20 of 3CX's Voice Over Internet Protocol (VOIP) software. Additionally, not all web-based CRM integrations are affected. A post on the company's community website was shared earlier today, but the post is currently locked and no further replies are allowed. The post includes a link to the security advisory, but no additional information is provided. March 2023 supply chain attack In March, 3CX disclosed that its 3CXDesktopApp Electron-based desktop client was trojanized in a supply chain attack to distribute malware. It took the company over a week to react to a stream of customer reports saying that the software had been tagged as malicious by several cybersecurity companies, including CrowdStrike, SentinelOne, ESET, Palo Alto Networks, and SonicWall. As later discovered by cybersecurity firm Mandiant, the 3CX hack resulted from another supply chain attack that impacted the Trading Technologies stock trading automation company. 3CX says its Phone System has over 12 million daily users and is used by more than 350,000 businesses worldwide, including high-profile organizations and companies such as Air France, the UK's National Health Service, PepsiCo, American Express, Coca-Cola, IKEA, and multiple automakers. 3CX didn't reply to a request for comment when BleepingComputer reached out earlier today.
Daily Brief Summary
3CX, a VoIP communications company, has issued a warning to customers regarding a potential vulnerability affecting SQL database integrations.
Customers are advised to disable integrations with MongoDB, MsSQL, MySQL, and PostgreSQL databases as a precautionary measure until a fix is developed.
The security issue specifically impacts versions 18 and 20 of 3CX's Voice Over Internet Protocol (VOIP) software, but not all web-based CRM integrations are compromised.
The company previously experienced a supply chain attack in March that resulted in the trojanization of their 3CXDesktopApp client, which was subsequently flagged as malicious by multiple cybersecurity firms.
3CX claims over 12 million daily users and 350,000 businesses worldwide that use their Phone System, including notable organizations such as Air France and PepsiCo.
At the time of the advisory, no further details have been released, and 3CX has not responded to media inquiries regarding the vulnerability.