RCE in Freepbx

CVE-2024-58294

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting ma…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.031 (86.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2024-58294?
CVE-2024-58294 is a high-severity vulnerability in Freepbx, classified under OS Command Injection. CVSS score: 8.8/10. Published 2025-12-11.
How severe is CVE-2024-58294?
High severity. CVSS v3 base score is 8.8 out of 10.