CVE-2023-29059

Name: CVE-2023-29059
Creator: NVD / NIST
Published: 2023-03-30T17:15:06.83+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 4.37%

Last modified Jun 17, 2026

CVE-2023-29059 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. 3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application.. EPSS estimates a 4.37% chance of exploitation in the next 30 days.

Description

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

4.37%

90.0th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
3cx	3cx	18.11.1213
3cx	3cx	18.12.402
3cx	3cx	18.12.407
3cx	3cx	18.12.416

References

https://cwe.mitre.org/data/definitions/506.htmlTechnical Description
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/Exploit, Technical Description, Third Party Advisory
https://www.3cx.com/blog/news/desktopapp-security-alert/Vendor Advisory
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/Exploit, Third Party Advisory
https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromisedExploit, Third Party Advisory
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threatsExploit, Third Party Advisory
https://cwe.mitre.org/data/definitions/506.htmlTechnical Description
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/Exploit, Technical Description, Third Party Advisory
https://www.3cx.com/blog/news/desktopapp-security-alert/Vendor Advisory
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/Exploit, Third Party Advisory
https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromisedExploit, Third Party Advisory
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threatsExploit, Third Party Advisory

Timeline

Published: Mar 30, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-29059?

How severe is CVE-2023-29059?

CVE-2023-29059 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 4.37% probability of exploitation in the next 30 days.

How do I fix CVE-2023-29059?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-29059?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST