Disable 3CX Unattended Upgrades (macOS)

What the 3CX Vulnerability Remediation Worklet does

This Automox Worklet™ identifies and removes compromised versions of the 3CX Desktop App from macOS endpoints. The Worklet searches for the application in system and user installation directories, checks the version against a list of known vulnerable releases, terminates any running processes, and deletes both the application bundle and associated support files.

The affected versions contain malicious code introduced through a supply chain attack on 3CX's build pipeline. This Worklet provides immediate remediation by removing the threat vector from your environment.

Why remove vulnerable 3CX versions immediately

Automatic 3CX client updates can install during work hours, forcing application restarts that disconnect users from active calls. Users in customer-facing roles, sales teams, or support positions cannot afford surprise call drops when helping customers. These interruptions damage customer relationships and create negative user experiences.

Enterprise IT teams need to test 3CX client updates before widespread deployment to verify compatibility with your PBX version, custom dial plans, integration scripts, and third-party connectors. Automatic updates bypass this testing and can introduce client versions that exhibit bugs or compatibility issues specific to your environment.

macOS endpoints in managed environments should receive all software updates through centralized deployment tools like Jamf, Munki, or Automox. When applications auto-update outside these channels, you lose visibility into which endpoints run which software versions. This complicates troubleshooting and makes it difficult to correlate problems with specific software versions.

Some 3CX updates require PBX-side changes or configuration adjustments. When clients auto-update before the PBX is updated or before administrators have modified configurations, users may experience feature problems or connection issues that result from version mismatches.

How 3CX removal works

1. Evaluation phase: The Worklet checks for running 3CX Desktop App processes using pgrep. It then searches for the application in /, /Applications/, ~/Applications/, and ~/Desktop/ directories. For each installation found, the Worklet extracts the version using mdls -name kMDItemVersion and compares it against the vulnerable version list (18.12.416, 18.11.1213, 18.12.407, 18.12.402).

2. Remediation phase: The Worklet terminates any running 3CX processes using kill -9. It removes the application bundle from its installation directory and deletes associated files from /Library/Application Support/ and ~/Library/Application Support/ to remove potential persistence mechanisms.

3CX remediation requirements

• macOS endpoint (workstation or server)

• Administrative privileges for terminating processes and deleting files

• Targeted vulnerable versions: 18.12.416, 18.11.1213, 18.12.407, 18.12.402

Expected endpoint state after remediation

The 3CX client application no longer checks for or installs automatic updates. The application remains on its current version until you deploy an update through your managed software distribution process. Users continue using 3CX for calls, conferences, and chat without interruption.

Users do not see update prompts or notifications from the 3CX client. The application operates normally on its current version without attempting to download or install updates. Users can focus on their work without unexpected update interruptions.

You control when 3CX client updates occur. You can test new versions, coordinate updates with PBX maintenance, and schedule deployments during times that minimize business impact. Users receive advance notice through your organization's change management communications.

The setting persists across application restarts and system reboots. 3CX will not automatically re-enable updates. If you want to update the 3CX client, deploy the new version through your managed software distribution system using an MSI package, PKG installer, or your preferred deployment method.

How to validate disable 3cx unattended-upgrades changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable 3cx unattended-upgrades.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as shopt, exit.

4. Validate remediation effects from script operations such as shopt, pgrep, rm, then rerun evaluation for compliance.