Skip to Content

3CX in 2026: The V20 Migration, the April Fair-Use Deadline, and the CDR Data Risk Nobody Mentions

July 6, 2026 by
3CX in 2026: The V20 Migration, the April Fair-Use Deadline, and the CDR Data Risk Nobody Mentions
Earl Rusnak

If you run 3CX and you've been putting off dealing with the V20 migration, the licensing changes, or both, there are two separate deadlines worth knowing about, plus one technical detail about how 3CX-hosted plans handle your call records that most reviews don't mention. This article covers what's actually changed, why, and what a realistic migration path looks like.

What actually happened in 2023, and why it still matters

In March 2023, 3CX disclosed that its desktop application for both Windows and macOS had been compromised with malicious code, in an incident serious enough that the company urged customers to uninstall the app entirely and switch to its browser-based PWA client. 3CX brought in Mandiant, the Google-owned incident response firm, to investigate. The findings, released weeks later, were unusual enough that Mandiant's own CTO, Charles Carmakal, called them significant: this was the first documented case of one software supply chain attack leading to another.

The root cause traced back to a 3CX employee who had downloaded a tampered installer for X_Trader, unrelated financial trading software, from the legitimate Trading Technologies website. That installer had itself been compromised by a threat actor Mandiant assessed with high confidence to have a North Korean nexus (tracked as UNC4736, believed linked to the Lazarus Group). Once the employee's machine was compromised, the attackers used stolen credentials to move laterally into 3CX's build environment and plant malware directly into the legitimate 3CX Desktop App — meaning the malicious code shipped to customers came from 3CX's own official software, not a phishing email or a third-party download.

3CX has more than 600,000 customer organizations and over 12 million daily users, according to the company's own figures. Post-breach, 3CX invested in new security processes, including binary scanning through ReversingLabs, static analysis tooling, and a HackerOne bug bounty program. Community discussion on 3CX's own user forums (r/3CX on Reddit) has speculated that post-breach security concerns are part of what drove the company's aggressive timeline for forcing customers off the older V18 platform entirely.

The V18 to V20 migration, and why it's been rough

3CX ended activation for V18 entirely, effectively forcing all customers onto V20 whether they were ready or not. Independent practitioner reports — including one from an IT provider managing roughly 135 client deployments — describe the migration itself as mechanically smooth but flag real UI regressions and feature removals along the way. For partners and internal IT teams managing the cutover, the forced timeline left limited room to plan around it.

Two 2026 deadlines you need to know about

3CX confirmed pricing adjustments effective the end of January 2026, described by the company as "an adjustment, nothing big... not to all prices" — but the more consequential change is the new extension fair-use policy tied to Simultaneous Call (SC) licensing:

  • Since V20 Update 8: the system displays informational warnings if a deployment exceeds fair-use extension limits.
  • January 1, 2026: license renewals for over-limit systems began showing warnings that the license must be upgraded or extensions reduced during 2026.
  • April 1, 2026: official enforcement begins. Systems still out of compliance get a grace period, but continued non-compliance risks losing access to technical support entirely.

3CX states that fewer than 15% of licenses currently exceed fair-use limits. If your business is one of them, or you're not certain, this is worth checking now rather than after enforcement takes effect.

The detail most reviews skip: CDR data loss on hosted plans

If you're on 3CX-hosted (rather than self-hosted) specifically to avoid managing your own server, there's a technical limitation worth knowing before you renew: hosted plans lose access to the Call Flow Designer for custom routing, and call detail record (CDR) data runs through an IP socket connection. If that socket drops, call data generated during the downtime is gone permanently — a 3CX developer has confirmed this directly in the company's own community forums. For any business that needs complete call records for compliance, billing disputes, or reporting, this is a real limitation, not a hypothetical edge case.

The support cost that adds up during a migration

3CX's support model runs $75 per ticket with a two-day response window. That's manageable for routine issues, but self-hosted teams navigating a major version migration commonly burn through multiple tickets working through upgrade problems — real, direct cost on top of the staff time already going into the migration itself.

What we hear most from businesses evaluating a move

The SC-based licensing model that makes 3CX attractive at moderate user counts (paying for simultaneous calls rather than total users) is also what makes a licensing miscalculation expensive to discover after the fact — underestimate your SC count and calls hit busy signals during your busiest hours. Combined with the April 2026 fair-use enforcement deadline, the forced V20 migration already behind you, and the CDR data risk on hosted plans, a lot of 3CX customers are simply re-evaluating whether the platform still fits, independent of whether they've had a bad experience with it specifically.

What migrating to VoIP International actually looks like

We operate our own platform with direct carrier contracts — not a licensing model tied to simultaneous call counts that requires careful capacity planning to avoid busy signals or overpaying. Pricing is published and flat per-user, not per-SC. Migration runs on a dual-line basis so inbound calls are never dropped during cutover, and number porting is a flat $15 per number, both directions, with no exit penalties if you ever decide to leave. See our full 3CX replacement guide for hosted vs. self-hosted specific migration paths.

Frequently asked questions

Do I need to migrate off 3CX immediately?

Not necessarily. If your deployment is within fair-use extension limits and you're not affected by the CDR data risk (self-hosted deployments aren't), there's no forced deadline to leave. The April 1, 2026 enforcement date matters specifically if your license exceeds fair-use limits.

Is the 2023 breach still a reason to be concerned in 2026?

3CX has publicly documented significant post-breach security investment, including third-party binary scanning and a bug bounty program. The breach itself is not an ongoing risk three years later. It is, however, part of the documented context for why the V18-to-V20 migration timeline was as aggressive as it was.

What happens if my 3CX license is over the fair-use limit and I do nothing?

Per 3CX's published enforcement timeline, systems still out of compliance after April 1, 2026 get a grace period, but continued non-compliance risks losing access to technical support.

Does switching away from 3CX mean losing our call history?

That depends entirely on your current setup and export process, not on the provider you switch to. If you are on 3CX-hosted, export and archive your CDR data before any transition, given the IP-socket data-loss risk described above.

Talk through your specific situation

Tell us your current SC count, extension count, and whether you're self-hosted or 3CX-hosted, and we'll give you a straight read on whether the fair-use enforcement affects you and what a migration would actually involve.

Sources referenced in this article: Mandiant/Google Cloud technical analysis of the 3CX supply chain compromise; Krebs on Security; TechCrunch; CyberScoop; The Register; ReversingLabs; 3CX official company blog (pricing adjustment announcements, January 2026); 3CX community forums; independent 3CX pricing and migration analysis, 2026.

Why 95% of Call Centers Do QA, But Only 17% of Agents Think It Works