CVE-2026-45362 Overview
CVE-2026-45362 affects Sangoma Switchvox versions before 8.4. The product stores cleartext Session Initiation Protocol (SIP) authentication credentials inside a backup file. An attacker with local access to the backup artifact can recover valid SIP credentials without cryptographic effort. The weakness maps to [CWE-312: Cleartext Storage of Sensitive Information].
Critical Impact
Recovery of cleartext SIP credentials from a Switchvox backup file enables impersonation of telephony endpoints and unauthorized access to voice services.
Affected Products
- Sangoma Switchvox versions before 8.4
- Switchvox backup file (.svb) artifacts generated on affected releases
- SIP user accounts provisioned on the affected appliance
Discovery Timeline
- 2026-05-12 - CVE-2026-45362 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45362
Vulnerability Analysis
Sangoma Switchvox produces system backup files used for configuration restore and migration. On versions prior to 8.4, the backup routine writes SIP authentication credentials in plaintext into the resulting archive. An actor who obtains a backup file can read SIP passwords directly without breaking encryption or hashing.
The weakness is a storage-layer issue rather than a protocol or memory-safety flaw. Exploitation requires local access to the backup artifact, which limits remote reach. The exposure is confined to confidentiality of SIP credentials; integrity and availability of the appliance are not directly affected.
Once extracted, the recovered SIP credentials allow an attacker to register rogue endpoints, place outbound calls, intercept inbound calls, or perform toll fraud against the PBX. Because SIP passwords are often reused across endpoints, the impact can extend beyond a single account.
Root Cause
The backup generation logic serializes SIP account secrets without applying encryption or hashing before writing them into the archive. The design relies on the secrecy of the backup file rather than on protection of the credential field itself.
Attack Vector
An attacker must first obtain a Switchvox backup file through local file system access, insecure backup storage, misconfigured shares, or exfiltration during a separate compromise. The attacker then extracts the archive and reads the SIP credential entries directly from the contained configuration data. No authentication is required to parse the file once retrieved.
The vulnerability mechanism is described in the GitHub Security Advisory and demonstrated in the GitHub PoC Repository.
Detection Methods for CVE-2026-45362
Indicators of Compromise
- Switchvox backup files (.svb) located outside of approved backup storage locations
- Unexpected SIP registrations from unfamiliar IP addresses or user agents
- Outbound call patterns inconsistent with normal user behavior, including international or premium-rate destinations
- Access to backup directories by accounts that do not perform administrative duties
Detection Strategies
- Audit file system and share access logs for read operations against Switchvox backup paths
- Correlate SIP registration events with source IP geolocation and historical baselines for each extension
- Inspect newly created or transferred .svb files for handling by unauthorized processes or users
- Review call detail records (CDR) for sudden spikes in call volume, duration, or cost
Monitoring Recommendations
- Forward Switchvox system, SIP, and backup logs to a centralized logging or SIEM platform
- Alert on backup file creation, copy, or download events outside of scheduled maintenance windows
- Monitor for concurrent SIP registrations of the same extension from distinct network locations
- Track administrative logins and configuration export actions on the Switchvox appliance
How to Mitigate CVE-2026-45362
Immediate Actions Required
- Upgrade Sangoma Switchvox to version 8.4 or later to remove cleartext SIP credentials from backup files
- Rotate all SIP account passwords on appliances that have generated backups on affected versions
- Restrict access to existing backup archives and review who has retrieved them historically
- Securely delete legacy backup files that contain cleartext SIP credentials once new backups are in place
Patch Information
Sangoma addresses CVE-2026-45362 in Switchvox 8.4. Refer to the GitHub Security Advisory for vendor guidance on upgrade paths and post-upgrade credential rotation.
Workarounds
- Store backup files only on encrypted volumes with strict access control lists
- Transfer backups over encrypted channels such as SFTP or SCP and avoid retention on shared file systems
- Apply least-privilege permissions so only designated administrators can read backup directories
- Enable SIP-layer controls such as IP-based registration restrictions and fail2ban-style lockouts to limit credential reuse
# Configuration example: restrict access to Switchvox backup directory
chown root:switchvox-admin /var/backups/switchvox
chmod 750 /var/backups/switchvox
find /var/backups/switchvox -name '*.svb' -exec chmod 640 {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
