What happened

CISA added CVE-2019-19006 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-02-03, signaling observed exploitation in the wild CISA KEV. The entry flags an improper authentication flaw in Sangoma FreePBX that can let an unauthorized user bypass password checks and access services provided by the FreePBX admin CISA KEV. The vulnerability is categorized under CWE-287 (Improper Authentication), aligning with the CVE record and classification data NVD entry.

The affected product is Sangoma FreePBX as identified in the public CVE metadata and NVD product tagging NVD entry. The KEV listing sets a remediation due date of 2026-02-24 for federal agencies and instructs organizations to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. The core issue is improper authentication logic, not credential compromise, per the CVE description and weakness mapping MITRE CVE record.

Why it matters

Inclusion in KEV means CISA has sufficient evidence of active exploitation and mandates prioritized remediation timelines for government systems, which should inform enterprise urgency as well CISA KEV. An authentication bypass on an administrative surface directly undermines the control plane of the PBX, enabling access to services exposed via the FreePBX admin as described in the KEV note CISA KEV. When the failure mode is CWE-287, attackers can step around authentication rather than defeat credentials, which compresses dwell time between discovery and impact NVD entry.

The operational risk is straightforward: anything delegated to the FreePBX admin’s services becomes reachable to an unauthenticated actor when the bypass is triggered, per the KEV summary wording CISA KEV. That risk calculus is heightened by the fact that this CVE is already in a “known exploited” state, indicating real adversary tradecraft rather than theoretical exposure CISA KEV.

Technical detail

CVE-2019-19006 is mapped to CWE-287, an improper authentication class, which covers situations where the system does not properly verify the identity of a user, allowing unauthorized access paths NVD entry. The CVE record associates the vulnerability specifically with Sangoma FreePBX, and the description states the potential to bypass the password authentication and reach FreePBX admin-provided services MITRE CVE record. In practice, this means the attack targets the authentication mechanism’s logic rather than brute-forcing or credential reuse, consistent with CWE-287 semantics referenced in the NVD entry NVD entry.

Publicly available records for this CVE remain intentionally sparse on exploitation specifics, which is consistent with KEV entries that focus on actionable remediation rather than proof-of-concept details CISA KEV. The authoritative CVE payload from MITRE also provides limited fields beyond the core vulnerability class and impacted product lineage, supporting a defend-first posture MITRE CVE record.

Defense

CISA’s required action is unambiguous: apply mitigations per vendor instructions, adhere to applicable BOD 22-01 cloud guidance, or discontinue use if no mitigation is available CISA KEV. Prioritize identification of all FreePBX deployments mapped to CVE-2019-19006 via software inventory and confirm against authoritative records before remediation planning NVD entry. Where patch or vendor mitigation is available, expedite change windows to restore correct authentication enforcement in line with CWE-287 remediation goals NVD entry.

If mitigations are not immediately available, CISA directs discontinuation of the product as a risk-acceptance boundary for federal systems, which is a strong signal to isolate or remove affected services until fixed CISA KEV. Track the KEV remediation deadline of 2026-02-24 as a governance control to ensure closure is measurable and timely at the program level CISA KEV. As an interim control, increase scrutiny on authentication events for the FreePBX admin service, because the threat centers on bypassing that specific check per the CVE MITRE CVE record.

Lyrie Verdict

This is a classic control-plane weakness with confirmed in-the-wild exploitation, which shifts the burden from hunting to continuous enforcement on the authentication edge CISA KEV. For anti-rogue-AI defense, operator speed must be machine speed: treat any admin-surface labeled as KEV-active as a preauthorized target for autonomous monitoring and response that validates authentication outcomes rather than just observing logins CISA KEV. Lyrie prioritizes KEV-designated authentication-bypass classes (CWE-287) for automated detection and can enforce runtime policy to quarantine or block unauthenticated access flows until patched or decommissioned in accordance with CISA guidance NVD entry. The operational goal is simple: prevent any request from reaching FreePBX admin-provided services unless the authentication path is provably intact, closing the gap attackers exploit in this CVE MITRE CVE record.