Business communication company 3CX is urging customers to disable SQL database integrations to prevent a vulnerability that occurs in certain configurations.
In a security advisory published on Friday, the company revealed that 3CX versions 18 and 20 are impacted by an integration bug.
“Only 0.25% of our user base have sequel integrated. It’s an old-style integration meant for an on-premise firewall secured network. Nevertheless, if you are using an SQL database integration, it’s subject potentially to a vulnerability – depending upon the configuration,” the company said.
According to 3CX, customers using MongoDB, MsSQL, MySQL, and PostgreSQL databases should disable their SQL database integrations until further notice.
“As a precautionary measure, and whilst we work on a solution to safely re-enable this integration, please follow the instructions below to disable it,” the company underlined.
To disable the integration, customers should go to the Settings section of the management console, go to CRM, set the available option to ‘None’, and save the modification.
Web-based CRM integrations are not affected, 3CX says. The company has yet to provide technical details on the identified security defect.
In March this year, it came to light that North Korean hackers had compromised 3CX’s Windows and macOS build environments after an employee downloaded a trojanized application on their personal computer.
The supply chain attack led to malware being pushed to the company’s customers, with organizations in Europe and North America being impacted the most.
More than 600,000 companies worldwide are using 3CX’s VoIP software.
Related: Atlassian CISO Urges Quick Action to Protect Confluence Instances From Critical Vulnerability
Related: CISA Offering Free Vulnerability Scanning Service to Water Utilities
Related: Recent NetScaler Vulnerability Exploited as Zero-Day Since August
