CVE-2020-7351

HIGH

Fonality Trixbox Community Edition 1.2.0-2.8.0.4 - OS Command Injection via endpoint_devicemap.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7351. PoCs published by Anastasios Stasinopoulos (@ancst), including Metasploit module exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.

AI-analyzed exploit summary This Metasploit module exploits an authenticated command injection vulnerability in TrixBox CE versions 1.2.0 to 2.8.0.4 via the 'network' parameter in endpoint_devicemap.php, allowing arbitrary command execution as the 'asterisk' user.

Description

An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Anastasios Stasinopoulos (@ancst) · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated command injection vulnerability in TrixBox CE versions 1.2.0 to 2.8.0.4 via the 'network' parameter in endpoint_devicemap.php, allowing arbitrary command execution as the 'asterisk' user.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TrixBox CE 1.2.0 to 2.8.0.4

Auth required

Prerequisites: Valid credentials for TrixBox CE · Network access to the target

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://github.com/rapid7/metasploit-framework/pull/13353

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/157565/TrixBox-CE-2.8.0.4-Command-Execution.html

Scores

CVSS v3 7.3

EPSS 0.6521

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-78

Status published

Products (1)

netfortris/trixbox 1.2.0 - 2.8.0.4

Published May 01, 2020

Tracked Since Feb 18, 2026