<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FreePBX Security-Reporting Missedcall (FreePBX 16) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/freepbx-security-reporting-missedcall-freepbx-16/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 14:30:21 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/freepbx-security-reporting-missedcall-freepbx-16/feed.xml" rel="self" type="application/rss+xml"/><item><title>FreePBX Modules Vulnerable to Unauthenticated RCE and SQL Injection</title><link>https://feed.craftedsignal.io/briefs/2026-07-freepbx-critical-vulnerabilities/</link><pubDate>Fri, 17 Jul 2026 14:30:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-freepbx-critical-vulnerabilities/</guid><description>Multiple critical vulnerabilities have been identified in FreePBX modules, including unauthenticated remote code execution (RCE) in the UCP module, unauthenticated SQL injection in the missedcall module leading to administrator takeover, authenticated command injection in the TTS module, and authenticated RCE in the music module. These flaws affect specific versions of these modules across FreePBX 16 and 17, allowing attackers to execute arbitrary commands, bypass authentication, and gain administrative control.</description><content:encoded><![CDATA[<p>On July 17, 2026, the Canadian Centre for Cyber Security (CCCS) issued an advisory highlighting several critical vulnerabilities within various FreePBX modules. These security flaws impact FreePBX versions 16 and 17, with some allowing for unauthenticated remote code execution (RCE) and unauthenticated SQL injection leading to administrator takeover. Specifically, the FreePBX Security-Reporting ucp module is vulnerable to unauthenticated RCE (GHSA-37j8-fhxx-9vhp) in versions prior to 17.0.9. The FreePBX Security-Reporting missedcall module is susceptible to unauthenticated SQL injection (GHSA-g27h-xf3q-h3rm) in versions prior to 16.0.11 and 17.0.6. Additionally, authenticated command injection (GHSA-hg3v-m857-mvw9) and RCE (GHSA-p97w-rq48-p8q2) affect the tts and music modules respectively, and an authenticated framework vulnerability (GHSA-f6hc-rqxg-ch86) allows AUTHTYPE restoration from crafted backups. These vulnerabilities pose a significant risk, enabling attackers to compromise the FreePBX system, execute arbitrary commands, and gain full administrative control without prior authentication in some cases.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance</strong>: An attacker identifies internet-facing FreePBX installations using tools like Shodan or targeted scanning to locate vulnerable instances of FreePBX 16 or 17.</li>
<li><strong>Initial Access (Unauthenticated RCE)</strong>: The attacker crafts and sends a specially malformed HTTP request to the vulnerable FreePBX UCP module (versions prior to 17.0.9), exploiting the <code>socket.io</code> namespace authentication bypass and AMI action injection (GHSA-37j8-fhxx-9vhp) to execute arbitrary commands on the FreePBX server.</li>
<li><strong>Initial Access (Unauthenticated SQL Injection)</strong>: Alternatively, the attacker sends a crafted HTTP request to a vulnerable FreePBX missedcall module (versions prior to 16.0.11 or 17.0.6), injecting malicious SQL payloads into the inbound Caller ID name parameter to exploit the SQL injection vulnerability (GHSA-g27h-xf3q-h3rm).</li>
<li><strong>Privilege Escalation</strong>: Successful SQL injection allows the attacker to query or modify the FreePBX database, potentially retrieving or resetting administrative credentials, thereby achieving administrative takeover of the FreePBX system.</li>
<li><strong>Command and Control</strong>: With RCE or administrative access, the attacker establishes a persistent foothold by executing commands to install backdoors, create new administrative users, or modify system configurations.</li>
<li><strong>Impact</strong>: The attacker gains full control over the FreePBX server, compromising call records, sensitive configuration data, and potentially leveraging the system for further network intrusion or telephony fraud.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of these vulnerabilities leads to severe consequences, including full system compromise, data theft, and unauthorized control over the FreePBX communication platform. The unauthenticated nature of the RCE and SQL injection flaws means that attackers can gain initial access without requiring any credentials, significantly increasing the risk. An attacker gaining administrative takeover could lead to the exposure of sensitive call detail records, manipulation of VoIP infrastructure, deployment of malware, or use of the FreePBX system as a launchpad for further attacks within the organization's network. While no specific victim counts are mentioned, the widespread use of FreePBX suggests a broad potential impact across various sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the necessary updates for FreePBX Security-Reporting ucp (FreePBX 17) to version 17.0.9 or later.</li>
<li>Apply the necessary updates for FreePBX Security-Reporting missedcall (FreePBX 16) to version 16.0.11 or later.</li>
<li>Apply the necessary updates for FreePBX Security-Reporting missedcall (FreePBX 17) to version 17.0.6 or later.</li>
<li>Apply the necessary updates for FreePBX Security-Reporting tts (FreePBX 17) to version 17.0.6 or later.</li>
<li>Apply the necessary updates for FreePBX Security-Reporting tts (FreePBX 16) to version 16.0.6 or later.</li>
<li>Apply the necessary updates for FreePBX Security-Reporting music (FreePBX 17) to version 17.0.7 or later.</li>
<li>Apply the necessary updates for FreePBX Security-Reporting framework (FreePBX 16) to version 16.0.47 or later.</li>
<li>Apply the necessary updates for FreePBX Security-Reporting framework (FreePBX 17) to version 17.0.30 or later.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect attempts to exploit <code>GHSA-37j8-fhxx-9vhp</code> and <code>GHSA-g27h-xf3q-h3rm</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>freepbx</category><category>rce</category><category>sql-injection</category><category>command-injection</category><category>web-vulnerability</category><category>asterisk</category></item></channel></rss>