CVE-2014-1903

FreePBX <2.9.0.14, <2.10.1.15, <2.11.0.23, <12.0.1alpha22 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-1903. PoCs published by Metasploit, @0x00string, i-Hmx, 0x00string, including Metasploit module exploits/unix/webapp/freepbx_config_exec.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in FreePBX versions 2.9, 2.10, and 2.11 by injecting arbitrary PHP functions and commands via the 'function' and 'args' parameters in '/admin/config.php'. It sends a payload to achieve remote code execution.

Description

admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/32512

This Metasploit module exploits a vulnerability in FreePBX versions 2.9, 2.10, and 2.11 by injecting arbitrary PHP functions and commands via the 'function' and 'args' parameters in '/admin/config.php'. It sends a payload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 2.9, 2.10, 2.11
No auth needed
Prerequisites: Network access to the target FreePBX installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by @0x00string · perlwebappsphp
https://www.exploit-db.com/exploits/32214

This exploit targets CVE-2014-1903 in FreePBX versions 2.9-2.11 and 12, allowing remote command execution via the 'handler' and 'function' parameters in the admin interface. It constructs a malicious HTTP GET request to trigger arbitrary function execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 2.9, 2.10, 2.11, 12
No auth needed
Prerequisites: Network access to the FreePBX admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by i-Hmx, 0x00string · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/freepbx_config_exec.rb

This Metasploit module exploits a vulnerability in FreePBX versions 2.9, 2.10, and 2.11 by injecting arbitrary PHP functions and commands via the 'function' and 'args' parameters in the '/admin/config.php' endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 2.9, 2.10, 2.11
No auth needed
Prerequisites: Network access to the FreePBX admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/103240
Various Sources x_refsource_confirm
http://code.freepbx.org/changelog/FreePBX_SVN?cs=16429
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0111.html
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0097.html
Vendor Advisory x_refsource_confirm
http://issues.freepbx.org/browse/FREEPBX-7123
Vendor Advisory x_refsource_confirm
http://issues.freepbx.org/browse/FREEPBX-7117
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/531040/100/0/threaded

Scores

EPSS 0.8450
EPSS Percentile 99.3%

Details

CWE
CWE-264
Status published
Products (4)
freepbx/freepbx 2.10
freepbx/freepbx 2.11
freepbx/freepbx 2.12
sangoma/freepbx 2.9
Published Feb 18, 2014
Tracked Since Feb 18, 2026