CVE-2014-9001

Incredible PBX 11 2.0.6.5.0 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9001. PoCs published by Simo Ben Youssef.

AI-analyzed exploit summary This exploit targets a command injection vulnerability in Incredible PBX's reminders/index.php, leveraging unsanitized user input in the APPTMIN parameter to execute arbitrary commands as the asterisk user. It establishes a reverse shell using Python.

Description

reminders/index.php in Incredible PBX 11 2.0.6.5.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) APPTMIN, (2) APPTHR, (3) APPTDA, (4) APPTMO, (5) APPTYR, or (6) APPTPHONE parameters.

Exploits (1)

exploitdb WORKING POC

by Simo Ben Youssef · perlwebappsphp

https://www.exploit-db.com/exploits/35080

View Code ZIP pw:eip

This exploit targets a command injection vulnerability in Incredible PBX's reminders/index.php, leveraging unsanitized user input in the APPTMIN parameter to execute arbitrary commands as the asterisk user. It establishes a reverse shell using Python.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Incredible PBX 11 version 2.0.6.5.0

Auth required

Prerequisites: Network access to the target · Valid credentials for the 'maint' user (default: maint:password)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Oct/101

Scores

EPSS 0.0620

EPSS Percentile 91.1%

Details

CWE

CWE-94

Status published

Products (1)

incrediblepbx/incredible_pbx_11 2.0.6.5.0

Published Nov 20, 2014

Tracked Since Feb 18, 2026