April 10, 2023

3CX Desktop App Critical Vulnerability Alert

David Summers
Microsoft Azure Lead at Data#3 Limited
The Australian Cyber Security Centre has issued a warning about a new supply chain attack that has targeted a software company that provides VOIP softphone desktop capability. The provider’s own supply chain was compromised by a state-sponsored threat actor group, resulting in successful manipulation of the 3CX installation software and subsequent updates to the application.

It is crucial to note that updating the desktop app, available for both Windows and MacOS, could expose it to the updated vulnerable version of the app. Thus, ACSC advises removing any and all versions of the 3CX desktop application immediately. For customers that require VOIP capability, the web version of the service can be utilized until 3CX resolves the supply chain attack and returns to normal operations.

Security researchers have identified a 7-day delay with the affected software before vulnerabilities are opened and triggered. Thus, if there are any installed and affected versions of the app in your environment, your security teams and systems may not detect activity until the 7-day period has elapsed.

It is recommended that customers consult their security software vendors for advice and ensure their endpoint protection solutions are capable of detecting and preventing threat activity triggered by the affected versions of the 3CX software product.

We urge all customers who may have installed the 3CX desktop application to take immediate action to mitigate the risks posed by this attack.


ACSC Advice

Supply chain compromise of 3CX DesktopApp | Cyber.gov.au


We’re here to help

Data#3 has a wealth of experience in cyber security domains including vulnerability management, penetration testing, next-gen firewalls, intrusion prevention, security architecture and advisory, controls and compliance assessments, and Managed Security services, including SOC. Our full suite of security products and services can be found here.

If you require any assistance with managing CVE-2021-44228 vulnerability, please reach out to a cyber security specialist or contact your Data#3 account manager.