3CX: 3CX Phone Management System (Windows): Local Privilege Escalation in Version 18
CWE-426
Untrusted Search Path
—
Summary
Per Praetorian’s blog: “During our analysis we did not identify any unauthenticated remote code execution vulnerabilities. However, we did identify a local privilege escalation vulnerability impacting the Windows version of the application and also identified a post-authentication arbitrary file read vulnerability within the management console. In this case, an attacker with access as an unprivileged local user on the system could exploit this vulnerability to elevate privileges to NT AUTHORITYSYSTEM.”
Affected Packages / Versions
- Package:
3CX Phone System(—) - Latest published version at triage time:
3CX Phone System V18 (per Praetorian's blog) - Affected range:
Per Praetorian's blog: "this vulnerability only impacts version 18 of the application" - Patched version:
Per Praetorian's blog: "This vulnerability has been remediated in Version 20 Update 1 and all subsequent versions of the 3CX application."
Impact
Per Praetorian’s blog: an unprivileged local user on a Windows host running 3CX V18 can escalate to SYSTEM. The blog also notes: “The Linux version of the application also allowed attackers to execute code within the PostgreSQL process. However, on Linux, the permissions associated with the PostgreSQL service account were more restricted and thus didn’t allow for immediate privilege escalation to root.” Praetorian observed “over two-hundred thousand instances” of the 3CX Phone System Management Console on Shodan.
Severity Rationale
Per the Praetorian cve-research listing: CVSS 7.8 (High). NVD record was not present at fetch time. Reviewer should confirm the score source before publication.
Fix
Per Praetorian’s blog: upgrade to 3CX Version 20 Update 1 or later.
Disclosure timeline
- TBDReported to vendor
- TBDPatch released (3CX V20 Update 1)
- TBDPublic disclosure
Fix Commit(s)
References
Discovered by Praetorian Labs · Published April 29, 2026