Quantifying investment in product security assessment of 3CX V20 phone system core services by Mandiant.

As part of our ongoing commitment to product security, 3CX engaged Mandiant, a part of Google Cloud and leader in cybersecurity consulting, to conduct a thorough, multi-phase security assessment of the 3CX Phone System V20. The engagement was extensive:

  • 97 working days
  • 10 consultants, including reverse engineers from the Mandiant FLARE team
  • A combined 78 years of professional cybersecurity experience

The project involved full source code access, hands-on testing, and multiple reassessment cycles. It represented a significant investment of time, expertise, and resources. Read on to learn more about the report and its outcomes.

About the Mandiant Engagement

Between November 2023 and September 2024, Mandiant conducted four separate assessments covering the major components of the 3CX ecosystem. Testing involved both static and dynamic analysis, with direct validation of remediation work.

Components Assessed

Progressive Web App (PWA)

  • Testing period: November 2023
  • Platform: 3CX V20 on Debian 12
  • Methodology: Static and dynamic penetration testing

Core Server-Side Services

  • Testing period: December 2023
  • Components: SIP Server, Media Server, WebRTC, Tunnel
  • Reassessments: April and June 2024 on versions 20.0.1.699 and 20.0.2.581
  • Platform: Debian 12

Session Border Controller (SBC)

  • Testing period: April 2024
  • Devices:
    • Yealink SIP-T53W (FW 96.86.0.77)
    • Yealink SIP-T46U (FW 108.86.0.77)
    • Fanvil V64 (FW 2.12.17)
    • Windows 10 and Raspberry Pi (Debian 10)
  • SBC Versions:
    • 18.1.36 (initial)
    • 18.1.80
    • 20.0.100 (reassessment)

Windows Softphone Desktop Client

  • Testing period: September 2024
  • Versions: 20.0.580
  • Installer packages:
    • 3CXSoftphone_GLOBAL_20.0.580.0_x64.msix
    • 3CXSoftphone_MS_20.0.580.0_x64.msix

Key Findings and Remediation Status

Across all assessments, Mandiant identified:

  • One critical vulnerability
  • One high-risk issue

Both findings were fully remediated by 3CX and independently validated by Mandiant during reassessment. These issues applied to components shared between versions 18 and 20 of the product.

V20 Security is a Priority

The engagement with Mandiant was a planned and resource-intensive effort to assess the security of Version 20. It demonstrates our commitment to continuous improvement and transparency in how we secure the architecture of our product in the new V20 landscape.

Access Full Mandiant Report

The full Mandiant report is available for download on 3CX Security Page.

Follow Us for Updates

Hit the follow button on our X and LinkedIn pages to stay up to date on further developments.

About Mandiant

Mandiant is a recognized leader in dynamic cyber defense, threat intelligence, and incident response services. By scaling decades of frontline experience, Mandiant helps organizations to be confident in their readiness to defend against and respond to cyber threats. Mandiant is part of Google Cloud.