HighPublic exploit

3CX DesktopApp Supply Chain Compromise

IdentifiersCVE-2023-29059CWE-494

CVE-2023-29059 refers to a supply-chain compromise of the 3CX DesktopApp in which legitimate, digitally signed Windows and macOS application builds were distributed with embedded malicious code. Affected versions include Windows Electron DesktopApp builds 18.12.407 and 18.12.416 shipped in Update 7, and macOS Electron DesktopApp builds 18.11.1213, 18.12.402, 18.12.407, and 18.12.416. On Windows, the malicious activity was delivered through a DLL sideloading chain involving 3CXDesktopApp.exe, a clean loader d3dcompiler_47.dll, and a maliciously patched ffmpeg.dll containing appended encrypted payload data and logic to retrieve additional encoded content from attacker-controlled infrastructure, including GitHub raw content paths. On macOS, the trojanized component was libffmpeg.dylib. The malicious ffmpeg library remained functional while executing added code, used a manifest/timestamp-based delay mechanism of up to roughly 28 days before contacting external infrastructure, and ultimately delivered follow-on payloads including a browser-targeting infostealer. The issue was exploited in the wild in March 2023.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exposure to the trojanized 3CX DesktopApp results in execution of attacker-supplied code under the context of the user running the application. The compromise can provide an initial foothold on affected Windows and macOS systems, enable command-and-control communications, retrieval and execution of additional payloads, theft of browser-resident data, and broader follow-on compromise. Reporting cited in the provided content notes potential unauthorized access, code execution, data exfiltration, and further malware propagation. Because the malicious software was distributed as a trusted signed update, the impact extends beyond a single host to enterprise environments that deployed the affected versions through normal software update channels.

Mitigation

If you can’t patch tonight, do this now.

Until clean software is confirmed, block or remove the 3CX DesktopApp from affected endpoints and use the browser-based PWA client as an alternative. Monitor for execution of 3CXDesktopApp.exe with vulnerable file versions and for DNS/network connections to known 3CX campaign IOC domains. Block known malicious domains and public-hosting retrieval paths used by the malware. Validate software provenance and code-signing changes, and increase scrutiny of signed third-party software updates. On potentially affected hosts, review for persistence artifacts and files noted in reporting, including Windows ffmpeg.dll anomalies and macOS artifacts such as ~/.session-lock, ~/.main_storage, and UpdateAgent-related paths under ~/Library/Application Support/3CX Desktop App/.

Remediation

Patch, then assume compromise.

Remove affected 3CX DesktopApp versions from all systems. Specifically replace Windows versions 18.12.407 and 18.12.416 and macOS versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 with clean vendor-provided builds signed with the replacement certificate. 3CX recommended uninstalling and reinstalling the application and temporarily using the browser-based PWA client while clean desktop builds were being issued. Organizations should also hunt for indicators of compromise associated with the campaign, including suspicious DNS lookups and known malicious domains, inspect systems for malicious 3CX-bundled ffmpeg components, and investigate for follow-on payloads and credential theft on hosts where affected versions executed.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

3cx3cxapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

splunk researchNews

Feb 25, 2026

Detection: Windows Vulnerable 3CX Software | Splunk Security Content

A vulnerability affecting vulnerable 3CX Desktop App 18.12.x versions, specifically 18.12.407 and 18.12.416, associated with the 3CX supply chain attack and potentially enabling unauthorized access, code execution, or further system compromise.

splunk researchNews

Jan 19, 2026

Detection: 3CX Supply Chain Attack Network Indicators | Splunk Security Content

A specific vulnerability identifier referenced in the context of the 3CX supply chain attack detection content.

google cloud blogNews

Feb 23, 2024

A year in the cybersecurity trenches with Mandiant Managed Defense | Google Cloud Blog

A code execution vulnerability affecting 3CX referenced as leveraged by threat actors.

sophos threat researchNews

Mar 29, 2023

Update 2: 3CX users under DLL-sideloading attack: What you need to know | SOPHOS

A supply-chain compromise of the 3CX DesktopApp (Windows/macOS) in which digitally signed installers/bundled components were trojanized (notably via DLL sideloading using a maliciously patched ffmpeg.dll / libffmpeg.dylib) to contact attacker C2 and retrieve additional payloads (including an infostealer).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence8

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-29059

NVD

nvd.nist.gov/vuln/detail/CVE-2023-29059

MITRE CWE · CWE-494

cwe.mitre.org

Vendor Advisory

3cx.com/blog/news/desktopapp-security-alert

Third Party Advisory

news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack

Third Party Advisory

crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers

Third Party Advisory

fortinet.com/blog/threat-research/3cx-desktop-app-compromised

Third Party Advisory

huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats