FreePBX Command Injection Vulnerability in Recordings Module via ElevenLabs TTS Integration

A command injection vulnerability allowing remote code execution has been identified in FreePBX versions 16.0.17.2 prior to 16.0.20 and 17.0.2.4 prior to 17.0.5. The issue arises in the recordings module when the ElevenLabs Text-to-Speech engine is used. User-controlled input is passed unsanitized to a shell command executed via 'exec()', enabling authenticated attackers to execute arbitrary commands on the FreePBX server. This vulnerability affects users with access to the recordings functionality through an AJAX endpoint in the System Recordings module.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary shell commands on the FreePBX server, potentially leading to remote access as the asterisk user.

Remediation

Users can update the recordings module to the latest version. It is also recommended to ensure that only authorized users have access to the FreePBX Administration Control Panel, and to deny access from hostile networks using the FreePBX Firewall module.