>samit_hota
Back to advisories
SH-2026-161CriticalOpen

Critical SQL Injection Vulnerability in Sangoma Switchvox SMB Edition Disclosed

Samit Hota·
CVE ID
CVE-2026-9586
CVSS Score
N/A
Affected Products
Sangoma Switchvox SMB Edition 8.3 (104997)
#news#sangoma

Overview

A critical unauthenticated SQL injection vulnerability, tracked as CVE-2026-9586, has been disclosed in Sangoma Switchvox SMB Edition version 8.3 (build 104997). This flaw allows an unauthenticated remote attacker to execute arbitrary SQL statements against the backend PostgreSQL database through a single crafted request. The vulnerability’s severity is heightened by the potential for database operations and remote code execution (RCE), posing a significant risk to affected organizations. The vulnerability was publicly disclosed on July 17, 2026, and given its nature, immediate patching or mitigation is paramount.

Technical Details

The vulnerability resides within the /pa endpoint of Sangoma Switchvox SMB Edition 8.3. This endpoint is designed to process XML content, specifically beginning with the <PolycomIPPhone> tag. The core of the issue lies in the improper neutralization of special elements used in an SQL command, commonly known as SQL injection (CWE-89). Specifically, the PhoneIP value, which is user-controlled input, is directly concatenated into PostgreSQL queries without proper sanitization or parameterization.

An attacker can leverage this weakness by sending a specially crafted XML request to the /pa endpoint. By injecting malicious SQL code into the PhoneIP parameter, they can bypass intended database queries and execute arbitrary SQL commands. This could include extracting sensitive information from the database, modifying data, or, critically, achieving remote code execution on the underlying system by exploiting database functionalities that allow command execution. The unauthenticated nature of the flaw means an attacker does not require any prior access or credentials to exploit it, making it accessible to any malicious actor on the network or internet, depending on the exposure of the Switchvox instance.

Real-World Impact

The real-world impact of CVE-2026-9586 is severe for organizations utilizing Sangoma Switchvox SMB Edition. Successful exploitation grants an unauthenticated attacker comprehensive control over the backend PostgreSQL database. This level of access can lead to:

  • Complete Data Compromise: Attackers can exfiltrate all data stored within the Switchvox database, including sensitive customer information, call records, system configurations, and potentially credentials.
  • System Takeover: With arbitrary SQL execution, attackers may be able to escalate privileges and execute arbitrary code on the underlying operating system, leading to a full compromise of the Switchvox appliance.
  • Service Disruption: Malicious SQL commands could corrupt database integrity or lead to a denial of service for the communication system, impacting critical business operations.
  • Lateral Movement: A compromised Switchvox system could serve as a pivot point for attackers to move laterally within the organization’s network, gaining access to other systems and sensitive resources.

Given that Switchvox systems are typically used for business communications, a breach could expose highly confidential conversations, contact lists, and operational data, leading to severe privacy and compliance issues.

Threat Landscape

SQL injection remains one of the most prevalent and dangerous web application vulnerabilities, consistently ranking high on lists such as the OWASP Top 10. The disclosure of CVE-2026-9586 highlights that even established enterprise solutions can harbor critical injection flaws if input sanitization and parameterized queries are not rigorously implemented. The fact that this vulnerability is unauthenticated and can lead to remote code execution makes it a prime target for opportunistic attackers. Such vulnerabilities are quickly weaponized once public proof-of-concept (PoC) code becomes available, leading to widespread scanning and exploitation attempts. The estimated exploit price of USD $25k-$100k suggests a high market value for such a potent exploit, indicating strong interest from various threat actors. This incident underscores the importance of continuous security auditing for all components of an organization’s IT infrastructure, not just publicly exposed web servers.

Remediation

Immediate action is required for all organizations running Sangoma Switchvox SMB Edition 8.3 (build 104997).

  • Patch Immediately: Sangoma has released Switchvox version 8.4.0.2 on July 14, 2026, which addresses this vulnerability. Organizations should apply this update without delay.
  • Network Segmentation: Isolate Switchvox appliances on a dedicated network segment with strict ingress and egress filtering rules to limit their exposure and prevent lateral movement in case of compromise.
  • Web Application Firewall (WAF): Implement and configure a WAF in front of the Switchvox application to detect and block malicious SQL injection attempts. Ensure the WAF rules are updated to specifically address known patterns related to CVE-2026-9586.
  • Input Validation: For developers and system administrators, this vulnerability serves as a reminder to always validate and sanitize all user-supplied input rigorously and to use parameterized queries or prepared statements when interacting with databases, rather than direct string concatenation.
  • Monitor for Exploitation: Actively monitor logs for any suspicious activity originating from or targeting the Switchvox appliance, looking for unusual SQL query patterns, unexpected outbound connections, or unauthorized file modifications.
  • Backup and Recovery: Ensure comprehensive and regularly tested backup and recovery procedures are in place for the Switchvox system and its associated database.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call