Home

Description

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

PUBLISHED Reserved 2025-12-11 | Published 2025-12-11 | Updated 2025-12-16 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

16
affected

Credits

Cold z3ro finder

References

www.exploit-db.com/exploits/52031 (ExploitDB-52031) exploit

www.freepbx.org/ (Official Product Homepage) product

www.youtube.com/watch?v=rqFJ0BxwlLI (Original Video Link) product

www.vulncheck.com/...ed-remote-code-execution-via-api-module (VulnCheck Advisory: FreePBX 16 Authenticated Remote Code Execution via API Module) third-party-advisory

cve.org (CVE-2024-58294)

nvd.nist.gov (CVE-2024-58294)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.