CVE-2024-58294

HighPublic PoC

Published: 11 December 2025

Published

11 December 2025

Modified

15 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0094 76.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to…

establish remote shell access.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs, directly preventing bash command injection in the 'generatedocs' endpoint by rejecting malicious payloads.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, addressing the root cause of this authenticated RCE vulnerability through identification, reporting, and patching.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, limiting the scope and impact of arbitrary command execution by authenticated low-privilege attackers.

Security SummaryAI

CVE-2024-58294 is an authenticated remote code execution vulnerability in FreePBX 16, specifically within the API module. The flaw arises from bash command injection in the 'generatedocs' endpoint, enabling attackers with valid session credentials to execute arbitrary commands. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

An attacker requires low-privilege authenticated access, such as valid session credentials, to exploit this vulnerability over the network with low complexity and no user interaction. By crafting malicious POST requests to the 'generatedocs' endpoint, the attacker can inject bash commands, leading to arbitrary command execution and the establishment of remote shell access on the affected FreePBX 16 system.

Advisories and related resources include a Vulncheck advisory detailing the authenticated RCE via the API module, a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/52031, the official FreePBX website at https://www.freepbx.org/, and a YouTube video at https://www.youtube.com/watch?v=rqFJ0BxwlLI. The CVE was published on 2025-12-11.

Details

CWE(s): CWE-78

Affected Products

sangoma

freepbx

16.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Authenticated RCE via bash command injection in FreePBX API enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/52031
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.freepbx.org/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module
Third Party Advisory · disclosure@vulncheck.com
https://www.youtube.com/watch?v=rqFJ0BxwlLI
Exploit · disclosure@vulncheck.com