3CX put out a security alert yesterday warning IP-based SIP trunk users to update to 8A immediately. The blog post is light on details, which is frustrating if you’re trying to assess your actual exposure.

https://www.3cx.com/blog/news/ip-sip-trunk-security/

The advisory leans on the phrase “IP spoofing” without explaining the mechanism. At the TCP level, spoofing a source IP is not a realistic attack — the three-way handshake makes it self-defeating. So either the threat involves UDP (where spoofing is trivial and connectionless), or it’s something else entirely.

The most plausible theory floating around the 3CX forums right now is SIP REFER abuse (where an attacker sends a REFER request pointing to a premium-rate number) tricking the PBX into making fraudulent outbound calls. Update 8A added a new option to disable “Allow Carrier Side Transfers (SIP REFER)” on trunks, which lends credibility to this theory.

For anyone running 3CX behind OPNsense with NAT overloading disabled (like me), I don’t think this is particularly relevant to your perimeter config. The vulnerability appears to live in 3CX’s application logic, not at the firewall level. Your allowlist isn’t the problem.

That said: update to 8A. There’s no CVE published and 3CX hasn’t been forthcoming with specifics, so I’m working from forum speculation and changelog archaeology here. If you know more than I do, I’d genuinely like to hear it.