Unrated severityNVD Advisory· Published Sep 15, 2025· Updated Feb 13, 2026

FreePBX Post-Authenticated Command Injection

CVE-2025-55211

Description

FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel (ACP) can run arbitrary shell commands by maliciously changing languages of the framework module. This vulnerability is fixed in 17.0.21.

Affected products

Freepbx/Frameworkv5
Range: >= 17.0.19.11, < 17.0.21

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FreePBX/security-reporting/security/advisories/GHSA-xg83-m6q5-q24hmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000