FreePBX Unauthenticated Denial-of-Service Vulnerability via Module Uninstallation

A denial-of-service vulnerability has been identified in FreePBX versions 15, 16, and 17. Malicious connections to the Administrator Control Panel can trigger the uninstallation function for certain modules. This action removes the module's database tables, which typically store configuration data. The vulnerability exists due to a lack of authentication and proper validation in the AJAX handler for module management.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by causing the uninstallation of modules, which can disrupt normal operations and require manual reinstallation and configuration recovery from backups.

Remediation

Users can update FreePBX to the latest version. For version 15, the patched version is 15.0.38; for version 16, it is 16.0.41; and for version 17, it is 17.0.21. After updating, any missing modules should be reinstalled and data recovered from backups if necessary.