Product
Multiple critical vulnerabilities have been identified in FreePBX modules, including unauthenticated remote code execution (RCE) in the UCP module, unauthenticated SQL injection in the missedcall module leading to administrator takeover, authenticated command injection in the TTS module, and authenticated RCE in the music module. These flaws affect specific versions of these modules across FreePBX 16 and 17, allowing attackers to execute arbitrary commands, bypass authentication, and gain administrative control.