RCE in Freepbx
CVE-2024-58294
FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting ma…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.031 (86.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Freepbx — versions 16
- Sangoma Freepbx — versions 16.0
Weakness classification (CWE)
References
- disclosure@vulncheck.com (Exploit, VDB Entry, Third Party Advisory, exploit)
- disclosure@vulncheck.com (Product, product)
- disclosure@vulncheck.com (Exploit, product)
- disclosure@vulncheck.com (Third Party Advisory, third-party-advisory)
Frequently asked questions
- What is CVE-2024-58294?
- CVE-2024-58294 is a high-severity vulnerability in Freepbx, classified under OS Command Injection. CVSS score: 8.8/10. Published 2025-12-11.
- How severe is CVE-2024-58294?
- High severity. CVSS v3 base score is 8.8 out of 10.