Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28287 is a high-severity authenticated remote code execution vulnerability in the Recordings module of FreePBX versions 16 and 17. It affects FreePBX 16 versions from 16.0.17.2 up to but not including 16.0.20, and FreePBX 17 versions from 17.0.2.4 up to but not including 17.0.5.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from multiple command injection flaws in authenticated AJAX endpoints that accept user-supplied POST parameters like `file` and `filenames[]`. These parameters are not properly sanitized and are passed to shell-executed operations, allowing an attacker to inject arbitrary shell commands.'}, {'type': 'paragraph', 'content': 'Exploitation requires authentication with a known username and access to the FreePBX Administration Control Panel (ACP). An attacker with such access can execute arbitrary shell commands on the host system, potentially gaining remote access as the "asterisk" user.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have significant impacts on system confidentiality, integrity, and availability.'}, {'type': 'list_item', 'content': 'An attacker with authenticated access can execute arbitrary shell commands on the underlying host system.'}, {'type': 'list_item', 'content': 'This can lead to remote code execution, allowing the attacker to gain control as the "asterisk" user.'}, {'type': 'list_item', 'content': 'Such control can compromise sensitive data, disrupt system operations, and potentially allow further attacks within the network.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability affects FreePBX versions 16.0.17.2 to before 16.0.20 and 17.0.2.4 to before 17.0.5, specifically in the recordings module. Detection involves verifying the installed FreePBX version and checking for suspicious activity related to the recordings module's authenticated AJAX endpoints that accept POST parameters such as `file` and `filenames[]`."}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication to the FreePBX Administration Control Panel (ACP), monitoring ACP access logs for unusual or unauthorized logins can help detect potential exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the resources, but general steps include:'}, {'type': 'list_item', 'content': 'Check FreePBX version: `fwconsole --version` or review the FreePBX web interface version information.'}, {'type': 'list_item', 'content': 'Review web server or FreePBX logs for POST requests to the recordings module endpoints containing suspicious parameters like `file` or `filenames[]`.'}, {'type': 'list_item', 'content': "Monitor system logs for unexpected shell command executions or unusual activity by the 'asterisk' user."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update the recordings module to the patched versions: 16.0.20 for FreePBX 16 and 17.0.5 for FreePBX 17.

Additional immediate steps include:

• Restrict access to the FreePBX Administration Control Panel (ACP) to authorized users only.
• Use FreePBX User Management, SysAdmin VPN, Multi-Factor Authentication (MFA), or SAML modules to enhance authentication security.
• Deny ACP access from untrusted networks by configuring the FreePBX Firewall module.

Useful 0 Not Useful 0