CVE-2012-4869

EXPLOITED IN THE WILD

FreePBX < 2.10 - Remote Code Execution via callmenum Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-4869 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including Metasploit, muts, Martin Tschirsich, including a Metasploit module exploits/unix/http/freepbx_callmenum.

AI-analyzed exploit summary This Metasploit module exploits a code injection vulnerability in FreePBX versions 2.10.0 and 2.9.0 via the 'callmenum' parameter in callme_page.php, allowing remote command execution. It iterates over a range of extensions to trigger the payload.

Description

The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/18659

This Metasploit module exploits a code injection vulnerability in FreePBX versions 2.10.0 and 2.9.0 via the 'callmenum' parameter in callme_page.php, allowing remote command execution. It iterates over a range of extensions to trigger the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreePBX 2.10.0, 2.9.0
No auth needed
Prerequisites: Knowledge of valid extension numbers or a range to brute-force
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by muts · pythonwebappsphp
https://www.exploit-db.com/exploits/18650

This exploit targets a pre-authenticated remote code execution vulnerability in FreePBX and Elastix by injecting a reverse shell payload via a malformed URL parameter. The payload leverages Perl to establish a reverse shell connection to the attacker's specified host and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 2.10.0/2.9.0, Elastix 2.2.0
No auth needed
Prerequisites: Network access to the target system · Target system must be running a vulnerable version of FreePBX or Elastix
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Martin Tschirsich · textwebappsphp
https://www.exploit-db.com/exploits/18649

This exploit demonstrates a remote command execution (RCE) vulnerability in FreePBX due to missing input sanitization in the `callme_page.php` file, allowing arbitrary system commands to be executed via crafted HTTP requests. It also includes multiple XSS vulnerabilities in various endpoints.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 2.10.0, 2.9.0 and earlier
No auth needed
Prerequisites: Network access to the target FreePBX instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cyberdesu · remote
https://github.com/cyberdesu/Elastix-2.2.0-CVE-2012-4869

This exploit targets a Local File Inclusion (LFI) vulnerability in Elastix 2.2.0 (CVE-2012-4869) to achieve remote code execution (RCE) via command injection in the callme_page.php endpoint. It uses a Perl reverse shell payload and bypasses TLS certificate verification.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Elastix 2.2.0
No auth needed
Prerequisites: Network access to the target · Perl installed on the target system · Netcat listener set up on attacker machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by muts, Martin Tschirsich · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/freepbx_callmenum.rb

This Metasploit module exploits a code injection vulnerability in FreePBX versions 2.10.0 and 2.9.0 via the 'callmenum' parameter in callme_page.php, allowing remote command execution. The exploit sends a crafted HTTP GET request with a payload encoded in the URI to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreePBX 2.10.0, 2.9.0
No auth needed
Prerequisites: Knowledge of a valid extension number or range · Target system must answer the call or route to voicemail
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18649
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18659
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/Mar/234
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48463
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/52630
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74174
Vendor Advisory x_refsource_confirm
http://www.freepbx.org/trac/ticket/5711

Scores

EPSS 0.8570
EPSS Percentile 99.4%

Details

VulnCheck KEV 2020-12-01
InTheWild.io 2023-02-15
CWE
CWE-94
Status published
Products (2)
sangoma/freepbx 2.9
sangoma/freepbx < 2.10
Published Sep 06, 2012
Tracked Since Feb 18, 2026