CVE-2019-16965
Description
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to 4.5.7 has a command injection in resources/cmd.php, letting authenticated admins execute commands as www-data.
Vulnerability
In FusionPBX versions up to 4.5.7, the file resources/cmd.php suffers from a command injection vulnerability due to insufficient input validation [1]. The cmd parameter is passed directly to the FreeSwitch Sofia API without sanitization, allowing an attacker to inject arbitrary system commands [2]. The vulnerable code path is reachable from the web interface by any authenticated user with administrative privileges [1][2].
Exploitation
An attacker must have valid administrative credentials to access the resources/cmd.php endpoint [2]. Once authenticated, the attacker can craft a URL containing a malicious cmd parameter that includes shell metacharacters or command separators to execute arbitrary commands on the underlying operating system [1][2]. No additional user interaction or race condition is required; the attack is a simple HTTP request with the injected payload.
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands on the host running FusionPBX, with the privileges of the www-data user [1][2]. This can lead to full compromise of the application, data exfiltration, modification of configuration files, or lateral movement within the network depending on the host's exposure [2]. The CVSS v3 base score is 7.2 (HIGH), reflecting the high impact on confidentiality, integrity, and availability [2].
Mitigation
The vulnerability was fixed on the same day it was reported, 15 August 2019, by removing the resources/cmd.php file entirely [1][2]. The fix was applied to the 4.4 branch and the master branch; users should upgrade to the latest patched version immediately [2]. If upgrading is not possible, administrators should restrict access to resources/cmd.php via web server configuration or remove the file manually [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
11 file changed · +0 −53
resources/cmd.php+0 −53 removed@@ -1,53 +0,0 @@ -<?php -/* - FusionPBX - Version: MPL 1.1 - - The contents of this file are subject to the Mozilla Public License Version - 1.1 (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - http://www.mozilla.org/MPL/ - - Software distributed under the License is distributed on an "AS IS" basis, - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - for the specific language governing rights and limitations under the - License. - - The Original Code is FusionPBX - - The Initial Developer of the Original Code is - Mark J Crane <markjcrane@fusionpbx.com> - Portions created by the Initial Developer are Copyright (C) 2008-2012 - the Initial Developer. All Rights Reserved. - - Contributor(s): - Mark J Crane <markjcrane@fusionpbx.com> -*/ -include "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; -if (if_group("admin") || if_group("superadmin")) { - //access granted -} -else { - echo "access denied"; - exit; -} - -$cmd = $_GET['cmd']; -$rdr = $_GET['rdr']; - -$fp = event_socket_create($_SESSION['event_socket_ip_address'], $_SESSION['event_socket_port'], $_SESSION['event_socket_password']); -if ($fp) { - $response = event_socket_request($fp, $cmd); - fclose($fp); -} - -if ($rdr == "false") { - //redirect false - echo $response; -} -else { - header("Location: v_status.php?savemsg=".urlencode($response)); -} -?> \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/6baad9af1bc55c80b793af3bd1ac35b39c20b173mitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sofia-api-command-injection-2/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.