CVE-2026-28287
Published: 05 March 2026
Description
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the command injection flaw through patching to FreePBX versions 16.0.20 or 17.0.5.
Prevents command injection (CWE-78) in the recordings module by validating and sanitizing untrusted inputs to block arbitrary OS command execution.
Limits damage from low-privilege (PR:L) exploitation by enforcing least privilege, restricting the scope of injected commands.
Security SummaryAI
CVE-2026-28287 involves multiple command injection vulnerabilities (CWE-78) in the recordings module of FreePBX, an open-source IP PBX software. The flaws affect versions from 16.0.17.2 up to but excluding 16.0.20, and from 17.0.2.4 up to but excluding 17.0.5.
The vulnerability carries a CVSS v3.1 base score of 8.8 (High), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. An attacker with low-privilege network access, such as an authenticated user, can exploit it remotely with low complexity and no user interaction required. Successful exploitation enables arbitrary command execution, leading to high impacts on confidentiality, integrity, and availability of the affected system.
The FreePBX security advisory (GHSA-9vv6-h8v6-rp4q) at https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9vv6-h8v6-rp4q confirms the issue and states that it has been patched in FreePBX versions 16.0.20 and 17.0.5. Administrators should prioritize upgrading to these versions for mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in FreePBX enables remote exploitation of the service for arbitrary Unix shell command execution.