Primary

Context

FreePBX Framework Module Authenticated Command Injection Vulnerability

Vulnerability

Patched

A command injection vulnerability has been identified in the FreePBX framework module, affecting versions 17.0.19.11 prior to 17.0.21. This vulnerability allows authenticated users of the Administrator Control Panel (ACP) to execute arbitrary shell commands by maliciously altering the language settings within the framework module.

Impact

Exploitation of this vulnerability allows for authenticated users to execute arbitrary shell commands on the server.

Remediation

Users are advised to update to FreePBX version 17.0.21 or later. It is also recommended to protect the Administrator Control Panel from unauthorized users, remove users who should not have access, and firewall the FreePBX ACP HTTP, HTTPS, and GraphQL ports.

Added: Sep 15, 2025, 10:15 PM

Updated: Sep 15, 2025, 10:15 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

4.9

remediation

7.9

relevance

0.5

threat

0.0

urgency

1.4

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

4.9

remediation

7.9

relevance

0.5

threat

0.0

urgency

1.4

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FreePBX Framework Module Authenticated Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

FreePBX

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating