Disable 3CX Unattended Upgrades (Linux)

What the 3CX unattended-upgrades disabler does

This Automox Worklet™ responds to the 3CX supply chain attack that was discovered in March 2023. The attack compromised 3CX Desktop application installers with malicious code. This Worklet stops the unattended-upgrades service to prevent further automated updates and removes potentially infected installer files from 3CX PBX servers.

The Worklet targets the Electron-based desktop application files stored on 3CX PBX servers at /var/lib/3cxpbx/Instance1/Data/Http/electron/. It removes DMG and ZIP files for macOS clients, and MSI and NUPKG files for Windows clients.

Why disable 3CX unattended-upgrades

3CX Phone System's automatic update mechanism can install new versions during business hours, causing unexpected service disruptions that drop active calls, disconnect users from conferences, and interrupt customer service operations. Uncontrolled updates introduce risk when call centers, support teams, or sales organizations depend on consistent telephony service without surprise maintenance windows.

Enterprise change management policies require testing updates in non-production environments before deploying to production systems. Automatic 3CX updates bypass this testing process, potentially introducing bugs, incompatibilities, or configuration issues that were not validated in your specific environment. You need control over update timing to coordinate testing, user notification, and scheduled maintenance windows.

3CX updates sometimes change configuration options, modify API behaviors, or introduce new features that conflict with existing integrations, custom scripts, or third-party connectors. When these updates install automatically, they can break workflows that depend on specific 3CX behaviors, creating troubleshooting challenges that could have been avoided through controlled update testing.

Security teams want visibility into all software updates that occur on managed systems. Automatic updates that happen outside your patch management workflow create blind spots in your change audit trail. Compliance frameworks require documented change control processes that automatic updates circumvent.

How 3CX remediation works

1. Evaluation phase: Always triggers remediation (exit 1) because this is a run-once response action for incident containment.

2. Remediation phase: Stops the unattended-upgrades service with systemctl stop, logs the current state of desktop application files to /root/3cx-desktop-versions.log, then removes .dmg, .zip, .msi, and .nupkg files from the 3CX Electron directories for both macOS and Windows client installers.

3CX remediation requirements

• Linux servers running 3CX PBX with files at /var/lib/3cxpbx/Instance1/

• Root privileges for the Automox agent

• systemctl available for service management

• Review /root/3cx-desktop-versions.log after execution for incident response

Expected state after 3CX remediation

The 3CX automatic update mechanism is disabled. The 3CX Phone System no longer downloads or installs updates automatically. The system remains on its current version until you manually initiate an update through the 3CX management interface or a controlled deployment process.

Your 3CX Phone System continues normal operation on its current version. Users can make calls, join conferences, access voicemail, and use all 3CX features. Call quality and system functionality remain unchanged. Only the automatic update process is affected.

You now control when 3CX updates occur. You can test updates in a development or staging environment first, schedule updates during maintenance windows, and coordinate updates with your change management process. Users receive advance notice of planned telephony maintenance.

The configuration change persists across system reboots. 3CX will not automatically re-enable updates. If you want to update 3CX in the future, you must manually trigger the update through the admin interface or use a deployment tool to push updates on your schedule.

How to validate disable 3cx unattended-upgrades changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for disable 3cx unattended-upgrades.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as systemctl, cd, ls, then rerun evaluation for compliance.