CVE-2024-58294

UNKNOWN 0.0

FreePBX 16 Authenticated Remote Code Execution via API Module

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

CWE	CWE-78
Vendor	freepbx
Product	freepbx
Published	Dec 11, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for freepbx freepbx

Be the first to know when new unknown vulnerabilities affecting freepbx freepbx are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FreePBX / FreePBX

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/52031 freepbx.org: https://www.freepbx.org/ youtube.com: https://www.youtube.com/watch?v=rqFJ0BxwlLI vulncheck.com: https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module

Credits

Cold z3ro