CVE-2024-58294

High CVSS: 8.7

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

Vendor

Sangoma

Product

Freepbx

CWE

CWE-78

Yayın Tarihi

2025-12-11 22:15:50

Güncelleme

2025-12-15 17:10:56

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-78 Freepbx HIGH Sangoma 2025

Referanslar

https://www.exploit-db.com/exploits/52031 https://www.freepbx.org/ https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module https://www.youtube.com/watch?v=rqFJ0BxwlLI

Benzer Kayıtlar

High

CVE-2026-28287

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5,…

High

CVE-2026-28209

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5,…

High

CVE-2026-28210

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnera…

High

CVE-2026-28284

FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several aut…

Low

CVE-2025-55210

FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, F…

Low

CVE-2026-23738

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1…