Login Sign Up

CVE-2023-49954

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in 3CX CRM Integration allows attackers to execute arbitrary SQL commands by manipulating first name, search string, or email address fields. Attackers can potentially access, modify, or delete database contents. Organizations using vulnerable versions of 3CX are affected.

💻 Affected Systems

Products:
  • 3CX Phone System
Versions: Versions before 18.0.9.23 and 20 before 20.0.0.1494
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with CRM Integration enabled. The vulnerability exists in the CRM Integration component specifically.

📦 What is this software?

3cx by 3cx

View all CVEs affecting 3cx →

3cx by 3cx

View all CVEs affecting 3cx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the 3CX database, allowing data exfiltration, privilege escalation, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized access to sensitive CRM data, including customer information, contact details, and potentially authentication credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are commonly exploited. The specific exploit requires access to CRM Integration functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.0.9.23 or 20.0.0.1494

Vendor Advisory: https://www.3cx.com/blog/releases/v18-update-9-security/

Restart Required: Yes

Instructions:

1. Backup your 3CX configuration. 2. Update to version 18.0.9.23 (for v18) or 20.0.0.1494 (for v20). 3. Restart the 3CX services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable CRM Integration

all

Temporarily disable the vulnerable CRM Integration component

Navigate to 3CX Management Console > Settings > CRM Integration > Disable

Input Validation Rules

all

Implement strict input validation for first name, search, and email fields

Configure web application firewall rules to block SQL injection patterns

🧯 If You Can't Patch

  • Implement network segmentation to isolate the 3CX server from sensitive systems
  • Enable detailed logging and monitoring for SQL injection attempts on CRM endpoints

🔍 How to Verify

Check if Vulnerable:

Check 3CX version in Management Console > Dashboard > System Information

Check Version:

On Linux: sudo /usr/sbin/3CXVersionTool | grep Version. On Windows: Check Services > 3CX PhoneSystem Management Console properties

Verify Fix Applied:

Confirm version is 18.0.9.23 or higher (for v18) or 20.0.0.1494 or higher (for v20)

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts via CRM Integration
  • Unexpected database schema changes

Network Indicators:

  • SQL injection patterns in HTTP requests to CRM endpoints
  • Unusual outbound database connections from 3CX server

SIEM Query:

source="3cx_logs" AND ("sql" OR "injection" OR "crm" AND "error")

📊 Metadata

CVE ID: CVE-2023-49954
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 25, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49954, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)