CVE-2019-19006
CRITICAL KEVSangoma FreePBX <115.0.16.26, <14.0.13.11, <13.0.197.13 - Info Disc...
Title source: llmExploitation Summary
CVE-2019-19006 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 3, 2026.
Description
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
References (6)
Core 6
Core References
Product x_refsource_misc
https://www.freepbx.org/category/blog/
Vendor Advisory x_refsource_confirm
https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass
Vendor Advisory x_refsource_misc
https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-001/62772
Broken Link x_refsource_misc
https://pastebin.com/2CdsQMKW
Exploit, Third Party Advisory
https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-19006
Scores
CVSS v3
9.8
EPSS
0.2164
EPSS Percentile
95.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2026-02-03
VulnCheck KEV
2020-11-05
InTheWild.io
2020-11-05
ENISA EUVD
EUVD-2019-8659
CWE
CWE-287
Status
published
Products (1)
sangoma/freepbx
13.0.0.0 - 13.0.197.13
Published
Nov 21, 2019
KEV Added
Feb 03, 2026
Tracked Since
Feb 18, 2026