{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/freepbx-backup-freepbx-17/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreePBX API (FreePBX 17)","FreePBX Backup (FreePBX 17)"],"_cs_severities":["high"],"_cs_tags":["freepbx","vulnerability","command-injection","rce","ssh-key-injection","voip","pbx","linux"],"_cs_type":"advisory","_cs_vendors":["FreePBX"],"content_html":"\u003cp\u003eOn July 9, 2026, the Canadian Centre for Cyber Security (CCCS) issued an advisory highlighting critical vulnerabilities within FreePBX, specifically impacting its API and Backup modules. These vulnerabilities affect FreePBX API versions prior to 17.0.9 and FreePBX Backup versions prior to 17.0.11. The identified flaws include an authenticated host command injection vulnerability (GHSA-79rg-3xp6-rqq6) within the API's \u003ccode\u003egeneratedocs\u003c/code\u003e function and an authenticated arbitrary SSH key injection vulnerability (GHSA-24w6-hpg3-rwfg) via the Backup module. Successful exploitation of these issues allows an authenticated attacker to execute arbitrary commands on the underlying system, gain persistent unauthorized access, or achieve remote code execution. This poses a significant risk to FreePBX deployments, potentially leading to full system compromise, data exfiltration, or service disruption. Defenders must prioritize applying the provided updates to mitigate these threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Authentication:\u003c/strong\u003e An attacker obtains or compromises legitimate credentials for a FreePBX user account, gaining authenticated access to the FreePBX web interface or API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (API Command Injection):\u003c/strong\u003e The authenticated attacker crafts a malicious request targeting the vulnerable \u003ccode\u003egeneratedocs\u003c/code\u003e function within the FreePBX API, embedding operating system commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The FreePBX API processes the crafted request, leading to the execution of arbitrary commands on the underlying server with the privileges of the FreePBX application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAlternative Exploitation (SSH Key Injection):\u003c/strong\u003e As an alternative, the authenticated attacker navigates to the Backup module and injects an arbitrary SSH public key into a configuration file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence / Remote Access:\u003c/strong\u003e If command injection is used, the attacker establishes persistence (e.g., by creating a cron job, installing a web shell, or modifying system startup scripts). If SSH key injection is used, the attacker immediately gains persistent SSH access to the FreePBX server using the corresponding private key.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves remote code execution, gains full control over the FreePBX system, which can be used for further lateral movement, data exfiltration, or to disrupt communication services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of these authenticated vulnerabilities can lead to severe consequences for FreePBX users. With arbitrary command execution capabilities, attackers can completely compromise the underlying server, gaining unauthorized access to sensitive call detail records, system configurations, and potentially other interconnected systems. The ability to inject SSH keys allows for persistent unauthorized remote access, enabling long-term surveillance or control. This can result in significant data breaches, disruption of critical communication infrastructure, financial losses, and damage to an organization's reputation. While specific victim counts or targeted sectors are not detailed, any organization using affected FreePBX versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the security updates for FreePBX API to version 17.0.9 or later, and for FreePBX Backup to version 17.0.11 or later, as recommended by the FreePBX security advisories referenced in this brief.\u003c/li\u003e\n\u003cli\u003eReview access logs and FreePBX audit trails for any suspicious authenticated activity, especially around the API \u003ccode\u003egeneratedocs\u003c/code\u003e function or Backup module, after applying the patches.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication measures, including multi-factor authentication (MFA), for all FreePBX administrative and user accounts to prevent initial authentication bypass.\u003c/li\u003e\n\u003cli\u003eRegularly review and rotate SSH keys on FreePBX servers and ensure that only authorized keys are present.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T18:15:02Z","date_published":"2026-07-09T18:15:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-freepbx-vulnerabilities/","summary":"FreePBX has released security advisories to address critical vulnerabilities in its API and Backup modules, affecting FreePBX API (versions prior to 17.0.9) and FreePBX Backup (versions prior to 17.0.11), which include authenticated command injection and arbitrary SSH key injection leading to remote code execution and unauthorized access.","title":"FreePBX API and Backup Modules Vulnerabilities Allowing Authenticated RCE and SSH Key Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-freepbx-vulnerabilities/"}],"language":"en","title":"CraftedSignal Threat Feed - FreePBX Backup (FreePBX 17)","version":"https://jsonfeed.org/version/1.1"}