VoIP communications company 3CX has issued a warning to customers to disable SQL Database integrations due to potential vulnerabilities.
The security advisory released today advises customers to take preventive measures by disabling their MongoDB, MsSQL, MySQL, and PostgreSQL database integrations, although it does not provide specific information about the issue.
3CX’s chief information security officer Pierre Jourdan stated, “If you’re using an SQL Database integration it’s subject potentially to a vulnerability – depending upon the configuration.” He also urged customers to follow the instructions to disable it as a precautionary measure while the company works on a fix.
Jourdan explained that the security issue impacts only versions 18 and 20 of 3CX’s Voice Over Internet Protocol (VOIP) software and that not all web-based CRM integrations are affected.
Additionally, a post on the company’s community website was shared earlier today, but the post is currently locked, and no further replies are allowed. The post includes a link to the security advisory, but no additional information is provided.
March 2023 supply chain attack
In March, 3CX revealed that its 3CXDesktopApp Electron-based desktop client was trojanized in a supply chain attack to distribute malware.
It took the company over a week to respond to reports that the software had been tagged as malicious by several cybersecurity companies. As later discovered by cybersecurity firm Mandiant, the 3CX hack resulted from another supply chain attack that impacted the Trading Technologies stock trading automation company.
3CX states that its Phone System has over 12 million daily users and is used by more than 350,000 businesses worldwide, including high-profile organizations and companies such as Air France, the UK’s National Health Service, PepsiCo, American Express, Coca-Cola, IKEA, and multiple automakers.
3CX did not respond to a request for comment when BleepingComputer reached out earlier today.