CVE-2026-9586
Sangoma · Switchvox SMB Edition
An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition that allows remote attackers to execute arbitrary database commands via the /pa endpoint.
Executive summary
A critical unauthenticated SQL injection vulnerability in Sangoma Switchvox SMB Edition allows remote attackers to execute arbitrary database operations and potentially achieve remote code execution.
Vulnerability
This is an improper neutralization of special elements used in an SQL command (CWE-89). The /pa endpoint fails to sanitize user-controlled input, allowing an unauthenticated attacker to inject malicious SQL statements directly into PostgreSQL queries.
Business impact
Successful exploitation poses a severe threat to the integrity and confidentiality of the backend database. Given the CVSS score of 9.3, this flaw enables a remote attacker to bypass authentication, access sensitive information, or potentially gain full system control, leading to significant service disruption and data loss.
Remediation
Immediate Action: Update Sangoma Switchvox SMB Edition to version 8.4.0.2 or later immediately.
Proactive Monitoring: Monitor server logs for suspicious requests to the /pa endpoint, particularly those containing SQL syntax or unusual XML structures.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to inspect and block requests to the /pa endpoint containing unexpected SQL keywords or characters.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
This vulnerability is highly critical due to the lack of authentication required for exploitation. Administrators must prioritize updating affected Switchvox instances to the latest version to prevent potential remote code execution and unauthorized data access.