If you’re still using Elastix 1.5 or 1.6 (or earlier) then it is critically important that you ensure you are not open to this vulnerability –
This allows anyone to download a list of extensions and secrets from your Elastix server, no password required! They can then use this information to place expensive calls through your server.
To test if you are vulnerable visit the following URLs in a web browser, replacing the IP address with your Elastix server IP –
The easiest was to secure your server from this is to delete the affected file (this was done in later releases) –
There are active scans on the Internet looking for vulnerable servers.