CVE-2019-11409
Description
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX Operator Panel 4.4.3 has a command injection vulnerability in exec.php, allowing authenticated non-admin users to execute arbitrary OS commands.
Vulnerability
CVE-2019-11409 is a command injection vulnerability in the Operator Panel module of FusionPBX version 4.4.3. The flaw is located in app/operator_panel/exec.php, where user-supplied input to the data parameter is not properly sanitized before being used in a shell command via event_socket_request(). The vulnerable code path is reachable when an authenticated user with non-administrative privileges sends a request to exec.php with a crafted action parameter that includes user_status [1]. The fix, introduced in commit e43ca27, adds input validation to the $data variable to prevent injection [1].
Exploitation
An attacker must have valid authentication on the FusionPBX Operator Panel, but does not need administrator privileges. The attack vector is network-based, requiring the ability to send HTTP POST requests to the vulnerable exec.php endpoint. By manipulating the data parameter with shell metacharacters (e.g., backticks or command chaining), an attacker can inject arbitrary commands that are executed by the underlying FreeSWITCH event socket [1]. The default configuration may expose the panel to local network users, and the vulnerability can be combined with an XSS issue (also present in the same module) to trigger execution without direct authenticated access [1].
Impact
Successful exploitation allows an authenticated non-administrative attacker to execute arbitrary operating system commands on the host running FusionPBX. This can lead to full remote code execution (RCE), providing the attacker with the ability to compromise the server, access sensitive data, pivot to internal networks, or disrupt service availability. The impact is high, as the attacker gains control equivalent to the web server user (typically www-data) [1].
Mitigation
The vulnerability is fixed in FusionPBX versions after commit e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611 (2019-06-14) [1]. Users should upgrade to the latest version of FusionPBX, applying the patch that adds input validation to exec.php. As a workaround, restrict access to the Operator Panel endpoint by IP whitelisting or VPN requirements, and audit user permissions to ensure only trusted users have panel access. No known KEV listing exists for this CVE [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- packetstormsecurity.com/files/153256/FusionPBX-4.4.3-Remote-Command-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/155344/FusionPBX-Operator-Panel-exec.php-Command-Execution.htmlmitrex_refsource_MISC
- blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.htmlmitrex_refsource_MISC
- github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.