CVE-2025-55211
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-10-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangoma | freepbx | From 17.0.19.11 (inc) to 17.0.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in FreePBX versions from 17.0.19.11 to before 17.0.21 allows authenticated users of the Administrator Control Panel (ACP) to execute arbitrary shell commands by maliciously changing the languages of the framework module. This means an attacker with ACP access can run commands on the server, potentially compromising the system. The issue is fixed in version 17.0.21.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with ACP access to execute arbitrary shell commands on the FreePBX server. This can lead to unauthorized control over the system, data compromise, service disruption, or further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade FreePBX to version 17.0.21 or later, as this version contains the fix for the vulnerability allowing authenticated Administrator Control Panel users to run arbitrary shell commands by changing languages in the framework module.