The Latest Security Changes in WMS 6 and WMS 7

This document provides an overview of the latest significant security changes in WMS 6 and WMS 7.

Created: June 2025

Updated: September 2025

Permalink: https://wildix.atlassian.net/wiki/x/AQATTw

1 Introduction
2 Mandatory 2FA for Admin
3 API Tokens Expiration Policy
4 Deprecation of Scheduled Backups to FTP
5 Forced Auto Upgrade
6 Disabled Basic Auth for Root Admin
7 Disabled SSH on some Cloud PBXs

Introduction

Starting from WMS versions 6.10.20250609.6 and 7.02.20250609.3, a number of security changes were introduced for improved security. These changes represent an essential step in aligning Wildix PBX with current security best practices. As long as threats in the unified communications industry are evolving, we are taking strong measures to ensure your infrastructure remains protected, scalable, and resilient.

Mandatory 2FA for Admin

Mandatory 2FA was introduced for root admins to enhance protection of admin accounts and strengthen PBX management security.

For instructions on how to access PBX with 2FA, check out this guide: How to get access to PBX with 2FA for root admins.

API Tokens Expiration Policy

All new Server to Server, OAuth 2.0 and Simple tokens are due for expiration within a maximum of 12 months following the current industry standards. When creating a new token, you now need to set its expiration period:

Note: Existing tokens without an expiration date will be automatically revoked on September 1, 2025.

Actions required:

Review integrations and rotate any tokens generated with WMS versions prior to those listed above to maintain system security.
If your deployment includes 3rd-party SIP devices, we recommend rotating those SIP passwords. For systems using only Wildix devices or apps, SIP password rotation was performed automatically.

Deprecation of Scheduled Backups to FTP

With the upgrade, the ability to send backups via FTP/SFTP was disabled to improve system security. The feature can no longer be re-enabled.

Actions required:

It is recommended to delete any previously stored backups from FTP servers and reset credentials.
Use available alternatives for scheduled backups:
- Secure SMTP email delivery
- CDS (Company Data Storage)

Forced Auto Upgrade

PBXes not running the latest version will be forced to upgrade, with schedule starting from September 1, 2025. The schedule will be shared in advance.

Disabled Basic Auth for Root Admin

To prevent unauthorized access, Basic Auth for root admin users was disabled.

Note:

For PBXs that used Basic Auth within the past month, it will remain enabled after the upgrade.
In case you need to enable Basic Auth, you can do it manually by adding the following parameter to /rw2/etc/env.custom.ini file:
ALLOW_BASIC_AUTH=true

Disabled SSH on some Cloud PBXs

By default, direct access to the SSH port on Cloud PBXs is disabled for security reasons. However, it can be enabled via WMP.

For systems where the SSH port was enabled but the PBX was either not accessed via SSH at all or accessed fewer than four times during May 2025, the SSH option was automatically disabled in June 2025 as a security measure.

You can reenable SSH via WMP whenever required. For instructions, refer to this guide (see the section “Enable SSH port on Cloud PBXs”).