CVE-2024-58294

HIGH

Sangoma Freepbx - OS Command Injection

Title source: rule

Description

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

Exploits (1)

exploitdb WORKING POC

by Cold z3ro · phpwebappsphp

https://www.exploit-db.com/exploits/52031

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/52031

[Product] https://www.freepbx.org/

[Third Party Advisory] https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module

[Exploit] https://www.youtube.com/watch?v=rqFJ0BxwlLI

Scores

CVSS v3 8.8

EPSS 0.0094

EPSS Percentile 76.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

FreePBX/FreePBX 16

sangoma/freepbx 16.0

Published Dec 11, 2025

Tracked Since Feb 18, 2026