FreePBX Endpoint Manager Authenticated OS Command Injection Vulnerability

A vulnerability in the FreePBX Endpoint Manager module's Network Scanning feature allows authenticated users to execute operating system commands as the asterisk user. This issue arises from insufficient input sanitization of user-supplied data, enabling command injection through the web-based interface that integrates nmap functionality for network device discovery. The vulnerability affects Endpoint Manager versions 16 prior to 16.0.92 and 17 prior to 17.0.6.

Impact

Exploitation of this vulnerability allows for authenticated operating system command execution as the asterisk user.

Remediation

Users can update to FreePBX Endpoint Manager version 16.0.92 or 17.0.6 to address this vulnerability. It is also recommended to protect the FreePBX Admin Control Panel (ACP) from suspicious users, remove users who should not have access, and firewall the FreePBX ACP HTTP, HTTPS, and GraphQL ports.