Unrated severityNVD Advisory· Published Dec 11, 2025· Updated Apr 7, 2026

FreePBX 16 Authenticated Remote Code Execution via API Module

CVE-2024-58294

Description

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

Affected products

Freepbx/Freepbxv5
Range: 16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/52031mitreexploit
www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-modulemitrethird-party-advisory
www.freepbx.orgmitreproduct
www.youtube.com/watchmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000