3CX Desktop Application Exploit

  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 03/30/2023

Action Level - Critical


We have been made aware of an active intrusion campaign targeting 3CX customers. On 29 March 2023, Crowdstrike Falcon Overwatch observed unexpected malicious activity from a legitimate, signed binary, 3CXDesktopApp. The malicious activity includes reaching out to actor-controlled infrastructure, deploying second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. While the majority of malicious domains have already been taken down, we recommend updating any affected versions of the desktop app in your environment.

Affected Versions

  • 3CXDesktopApp - Windows
  • 3CXDesktopApp - MacOS

Attack Vector

Attackers have been able to trigger the exploit remotely from within the application

Attack Feasibility 

The vendor has confirmed that the exploit has been used by attackers in the past few days.


3CX recommends use of their PWA application, which is web-based and has similar functionality, in place of the desktop app. Update to a current supported version of 3CXDesktopApp if the desktop application is needed.  

Vendor Resources


https://supportportal.crowdstrike.com/s/article/Tech-Alert-CrowdStrike-Tracking-Active-Intrusion-Campaign-Targeting-3CX-Customers (Crowdstrike login required)

<-- Return to Cybersecurity Alerts...

PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC