Primary

Context

FreePBX TTS Module SQL Injection Vulnerability Allowing Code Execution

Vulnerability

A SQL injection vulnerability has been identified in the FreePBX Text to Speech (TTS) module, affecting FreePBX versions prior to 16.0.5 and 17.0.5. This vulnerability allows authenticated users with administrative access to the Administrator Control Panel (ACP) to manipulate SQL queries. Exploitation of this vulnerability could lead to unauthorized access to sensitive database information and the execution of code on the system as the 'asterisk' user, with potential escalation to 'root' privileges.

Impact

Exploitation of this vulnerability could result in unauthorized database access, execution of arbitrary code on the system as the 'asterisk' user, and escalation of privileges to 'root'.

Remediation

Users are advised to update the FreePBX TTS module to version 16.0.5 or 17.0.5.

Added: Dec 16, 2025, 1:24 AM

Updated: Dec 16, 2025, 1:24 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

7.7

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

7.7

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FreePBX TTS Module SQL Injection Vulnerability Allowing Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating