CVE-2022-28005: 
3CX 3CXPhone vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in 3CX Phone Management System version 18, identified as CVE-2022-28005. The vulnerability allowed an unauthenticated attacker to abuse improperly secured access to arbitrary files on the server via the /Electron/download directory traversal functionality (Medium Blog).

The vulnerability existed in the ElectronController's Download method, accessible via /download/{platform}/{file} endpoint. The issue stemmed from improper handling of Path.Combine() calls, where Windows backslash character could be used to bypass directory restrictions. The vulnerability allowed access to files under C:\ProgramData\3CX\Instance1\Data and its subdirectories initially, but was later found to allow access to any system file through absolute path traversal (Medium Blog).

The vulnerability allowed unauthorized access to sensitive files including credentials, chat logs, call recordings, and full backups of the 3CX installation. Since the application ran with NT AUTHORITY\SYSTEM privileges, the impact was maximized as it potentially allowed access to any file on the system (Medium Blog).

The vulnerability was initially patched in 3CX Version 18, Update 2 Security Hotfix, Build 18.0.2.315 in February 2022. After the discovery of a bypass, a second patch was released in 3CX Version 18, Update 3 FINAL, Build 18.0.3.450. A final security hotfix was released in March 2022 to fully address the vulnerability (3CX Blog, 3CX Security).