{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/freepbx-security-reporting-tts-freepbx-16/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreePBX Security-Reporting ucp (FreePBX 17)","FreePBX Security-Reporting missedcall (FreePBX 16)","FreePBX Security-Reporting missedcall (FreePBX 17)","FreePBX Security-Reporting tts (FreePBX 17)","FreePBX Security-Reporting tts (FreePBX 16)","FreePBX Security-Reporting music (FreePBX 17)","FreePBX Security-Reporting framework (FreePBX 16)","FreePBX Security-Reporting framework (FreePBX 17)"],"_cs_severities":["high"],"_cs_tags":["freepbx","rce","sql-injection","command-injection","web-vulnerability","asterisk"],"_cs_type":"advisory","_cs_vendors":["FreePBX"],"content_html":"\u003cp\u003eOn July 17, 2026, the Canadian Centre for Cyber Security (CCCS) issued an advisory highlighting several critical vulnerabilities within various FreePBX modules. These security flaws impact FreePBX versions 16 and 17, with some allowing for unauthenticated remote code execution (RCE) and unauthenticated SQL injection leading to administrator takeover. Specifically, the FreePBX Security-Reporting ucp module is vulnerable to unauthenticated RCE (GHSA-37j8-fhxx-9vhp) in versions prior to 17.0.9. The FreePBX Security-Reporting missedcall module is susceptible to unauthenticated SQL injection (GHSA-g27h-xf3q-h3rm) in versions prior to 16.0.11 and 17.0.6. Additionally, authenticated command injection (GHSA-hg3v-m857-mvw9) and RCE (GHSA-p97w-rq48-p8q2) affect the tts and music modules respectively, and an authenticated framework vulnerability (GHSA-f6hc-rqxg-ch86) allows AUTHTYPE restoration from crafted backups. These vulnerabilities pose a significant risk, enabling attackers to compromise the FreePBX system, execute arbitrary commands, and gain full administrative control without prior authentication in some cases.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies internet-facing FreePBX installations using tools like Shodan or targeted scanning to locate vulnerable instances of FreePBX 16 or 17.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Unauthenticated RCE)\u003c/strong\u003e: The attacker crafts and sends a specially malformed HTTP request to the vulnerable FreePBX UCP module (versions prior to 17.0.9), exploiting the \u003ccode\u003esocket.io\u003c/code\u003e namespace authentication bypass and AMI action injection (GHSA-37j8-fhxx-9vhp) to execute arbitrary commands on the FreePBX server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Unauthenticated SQL Injection)\u003c/strong\u003e: Alternatively, the attacker sends a crafted HTTP request to a vulnerable FreePBX missedcall module (versions prior to 16.0.11 or 17.0.6), injecting malicious SQL payloads into the inbound Caller ID name parameter to exploit the SQL injection vulnerability (GHSA-g27h-xf3q-h3rm).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: Successful SQL injection allows the attacker to query or modify the FreePBX database, potentially retrieving or resetting administrative credentials, thereby achieving administrative takeover of the FreePBX system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control\u003c/strong\u003e: With RCE or administrative access, the attacker establishes a persistent foothold by executing commands to install backdoors, create new administrative users, or modify system configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker gains full control over the FreePBX server, compromising call records, sensitive configuration data, and potentially leveraging the system for further network intrusion or telephony fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities leads to severe consequences, including full system compromise, data theft, and unauthorized control over the FreePBX communication platform. The unauthenticated nature of the RCE and SQL injection flaws means that attackers can gain initial access without requiring any credentials, significantly increasing the risk. An attacker gaining administrative takeover could lead to the exposure of sensitive call detail records, manipulation of VoIP infrastructure, deployment of malware, or use of the FreePBX system as a launchpad for further attacks within the organization's network. While no specific victim counts are mentioned, the widespread use of FreePBX suggests a broad potential impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting ucp (FreePBX 17) to version 17.0.9 or later.\u003c/li\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting missedcall (FreePBX 16) to version 16.0.11 or later.\u003c/li\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting missedcall (FreePBX 17) to version 17.0.6 or later.\u003c/li\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting tts (FreePBX 17) to version 17.0.6 or later.\u003c/li\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting tts (FreePBX 16) to version 16.0.6 or later.\u003c/li\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting music (FreePBX 17) to version 17.0.7 or later.\u003c/li\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting framework (FreePBX 16) to version 16.0.47 or later.\u003c/li\u003e\n\u003cli\u003eApply the necessary updates for FreePBX Security-Reporting framework (FreePBX 17) to version 17.0.30 or later.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect attempts to exploit \u003ccode\u003eGHSA-37j8-fhxx-9vhp\u003c/code\u003e and \u003ccode\u003eGHSA-g27h-xf3q-h3rm\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T14:30:21Z","date_published":"2026-07-17T14:30:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-freepbx-critical-vulnerabilities/","summary":"Multiple critical vulnerabilities have been identified in FreePBX modules, including unauthenticated remote code execution (RCE) in the UCP module, unauthenticated SQL injection in the missedcall module leading to administrator takeover, authenticated command injection in the TTS module, and authenticated RCE in the music module. These flaws affect specific versions of these modules across FreePBX 16 and 17, allowing attackers to execute arbitrary commands, bypass authentication, and gain administrative control.","title":"FreePBX Modules Vulnerable to Unauthenticated RCE and SQL Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-freepbx-critical-vulnerabilities/"}],"language":"en","title":"CraftedSignal Threat Feed - FreePBX Security-Reporting Tts (FreePBX 16)","version":"https://jsonfeed.org/version/1.1"}