External risk intelligence

Sangoma Switchvox SMB SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-9586

The vulnerability exists in a VoIP/PBX appliance designed to process incoming requests from endpoint devices. These services are typically exposed to the network to facilitate communication with remote phones and gateways, and the /pa endpoint is reachable without authentication, making it directly accessible to internet-based traffic in standard deployments.

SQL Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Sangoma Switchvox SMB Edition, a type of VoIP and PBX system. An unauthenticated attacker could exploit this to run unauthorized commands on the system by sending a specially crafted request. The main concern is confirming if this specific system is in use and exposed.

  • Unauthenticated attackers can run commands.
  • Vital for verifying system exposure and relevance.
  • Ensure internal systems are not accessible externally.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted request to the `/pa` endpoint. This endpoint processes XML content and is susceptible to SQL injection because it concatenates user-controlled data directly into database queries without proper sanitization. Successfully triggering this vulnerability allows an attacker to execute arbitrary SQL commands on the backend database.

  • No authentication or user interaction is required.
  • A crafted XML request to the `/pa` endpoint triggers it.
  • Risk includes arbitrary SQL execution and potential code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL statements against the backend PostgreSQL database. This is possible when the /pa endpoint processes XML content and directly concatenates user-controlled input into database queries without proper sanitization. This could lead to database operations and potentially remote code execution when supported by the advisory.

  • PostgreSQL database is at risk.
  • Unauthenticated network requests can exploit it.
  • Database compromise or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical SQL injection vulnerability in Sangoma Switchvox SMB Edition affects the /pa endpoint, allowing unauthenticated remote attackers to execute arbitrary SQL statements. Given the product's role as a communication platform, the first practical step is to identify all instances, confirm their network exposure and business criticality, and then engage the accountable owner to prioritize remediation, which may involve vendor coordination or temporary risk reduction measures.

  • Identify affected systems and owners.
  • Verify network reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Sangoma Switchvox SMB?

Sangoma Switchvox SMB is a specialized Private Branch Exchange (PBX) system used by organizations to manage Voice over IP (VoIP) telephony. It functions as the central hub for handling internal and external communications, bridging the gap between hardware desk phones and the corporate network. Because it must communicate with various VoIP endpoints, it runs services designed to process incoming signaling data.

How does SQL injection work in CVE-2026-9586?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. The system fails to sanitize input within XML data sent to the /pa endpoint. Instead of treating the input as plain text, the database interprets it as part of an executable command. This allows an attacker to inject and run their own SQL queries directly against the backend PostgreSQL database.

Do I need to authenticate to trigger this bug?

No. The vulnerability exists on an endpoint that processes requests without requiring any user credentials. Simply sending a specifically crafted XML payload containing a malicious 'PhoneIP' value is sufficient to reach the vulnerable code path. Normal, legitimate XML traffic that does not contain injected SQL commands will not trigger the vulnerability.

Is my system relevant according to Halo Surface Signal?

Yes, if your PBX is internet-facing. Halo Surface Signal notes that because Switchvox is a VoIP appliance intended to communicate with remote phones and gateways, the /pa endpoint is often exposed to network traffic by design. If this endpoint is reachable from the internet, it is directly accessible to external attackers, which significantly increases the risk of exploitation.

What are the first steps to address this vulnerability?

Start by identifying all instances of Switchvox SMB within your environment and mapping their network reachability. If you find systems exposed to the internet, prioritize restricting access to known, trusted IP addresses immediately. Engage the system owners to verify the version in use and coordinate with the vendor to apply the necessary security updates to close the vulnerable endpoint.

References