CVE-2024-58294 – FreePBX 16 contains an authenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2024-58294?

CVE-2024-58294 has a CVSS score of 8.8 (HIGH). FreePBX 16 contains an authenticated remote code execution vulnerability in the API module. Attackers with valid session credentials can exploit the 'generatedocs' endpoint via bash command injection to execute arbitrary commands and establish remote shell access. This affects all FreePBX 16 installations with the API module enabled.

📋 TL;DR

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module. Attackers with valid session credentials can exploit the 'generatedocs' endpoint via bash command injection to execute arbitrary commands and establish remote shell access. This affects all FreePBX 16 installations with the API module enabled.

💻 Affected Systems

Products:

FreePBX

Versions: Version 16

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires API module to be enabled and attacker to have valid session credentials. Default installations typically have API functionality accessible.

📦 What is this software?

Freepbx by Sangoma

View all CVEs affecting Freepbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands as the web server user, potentially leading to privilege escalation, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Attackers with stolen or compromised credentials gain shell access to the FreePBX server, enabling them to modify configurations, intercept calls, access sensitive data, and use the system as a foothold for further attacks.

🟢

If Mitigated

With proper network segmentation, credential protection, and monitoring, exploitation would be detected and contained before significant damage occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires valid authentication but is trivial to execute once credentials are obtained. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check FreePBX security updates for version 16 patches

Vendor Advisory: https://www.freepbx.org/

Restart Required: Yes

Instructions:

1. Backup your FreePBX configuration. 2. Update FreePBX to the latest patched version via the admin interface or command line. 3. Restart FreePBX services. 4. Verify the patch is applied.

🔧 Temporary Workarounds

Disable API Module

linux

Temporarily disable the vulnerable API module until patching is possible

Navigate to FreePBX Admin -> Module Admin -> Disable API module

Restrict Network Access

linux

Block external access to FreePBX web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate FreePBX from critical systems
Enforce strong authentication policies and monitor for credential compromise

🔍 How to Verify

Check if Vulnerable:

Check if FreePBX version is 16 and API module is enabled in the admin interface

Check Version:

fwconsole ma list | grep -i freepbx

Verify Fix Applied:

Verify FreePBX version is updated beyond vulnerable version and test API endpoint functionality

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/api/generatedocs endpoint
Suspicious command execution patterns in system logs
Multiple failed authentication attempts followed by successful API access

Network Indicators:

Unusual outbound connections from FreePBX server
Traffic patterns indicating reverse shell establishment

SIEM Query:

source="freepbx.log" AND (uri="/admin/api/generatedocs" OR cmd="bash" OR cmd="sh")

📊 Metadata

CVE ID: CVE-2024-58294

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.71% exploit probability (71.8th percentile)

Published: December 11, 2025

Last Updated: December 15, 2025

🔗 References

https://www.exploit-db.com/exploits/52031 Exploit,Third Party Advisory,VDB Entry
https://www.freepbx.org/ Product
https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module Third Party Advisory
https://www.youtube.com/watch?v=rqFJ0BxwlLI Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-58294, you might also want to check these: