FreePBX RCE Vulnerabilities Threaten Telecom Servers

System administrators must immediately patch two critical FreePBX RCE vulnerabilities that expose voice over IP (VoIP) telephony servers to severe exploitation. FreePBX, a widely used open-source graphical user interface for Asterisk, recently disclosed security flaws affecting the Superfecta module and the User Control Panel (UCP). Because both flaws carry a severe CVSS score of 8.6, attackers with authenticated access can gain deep control over host systems.

Superfecta Module Arbitrary PHP Code Execution

The first major flaw exists in the Superfecta module due to the unsafe inclusion of arbitrary PHP files. According to the vulnerability report, “The code dynamically includes PHP files from the sources/ directory based on user-supplied input.” Authenticated attackers can exploit this weakness to execute arbitrary PHP code with web server privileges. When chained with directory creation and file uploads, this flaw grants attackers full remote code execution and total system compromise.

UCP Interface Authenticated Command Injection

Additionally, the second threat involves an authenticated command injection bug within the FreePBX UCP interface. This interface often caters to less-privileged users, meaning lower-level accounts could easily abuse the vulnerability. The report notes that “Insufficient sanitization of certain URL parameters utilized by UCP did not fully account for malicious strings in these fields.” As a result, malicious actors can force binaries to execute on the host server by carefully chaining commands.

Mitigation and Patching Guidance

To mitigate these dangerous FreePBX RCE vulnerabilities, organizations must prioritize software updates immediately. Update the Superfecta module to version 16.0.40 or 17.0.7, and the UCP module to version 16.0.39 or 17.0.7. System administrators can obtain the latest secure versions directly by visiting the official software repository at https://www.freepbx.org/downloads/.

Furthermore, defenders should strictly limit access to both the Administrator Control Panel (ACP) and UCP. Utilize the FreePBX Firewall, VPN, or MFA modules to deny hostile network traffic. By locking down these interfaces and patching immediately, telecom operators can prevent catastrophic server takeovers.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.