Description
FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel (ACP) can run arbitrary shell commands by maliciously changing languages of the framework module. This vulnerability is fixed in 17.0.21.
References (1)
Core 1
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-xg83-m6q5-q24h
Scores
CVSS v3
8.8
EPSS
0.0040
EPSS Percentile
31.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
sangoma/freepbx
17.0.19.11 - 17.0.21
Published
Sep 15, 2025
Tracked Since
Feb 18, 2026