cbcvebase.
CVE-2012-4869
published 2012-09-06

CVE-2012-4869: The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via…

PriorityP181high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
70.25%
99.3th percentile
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

Affected

2 ranges
VendorProductVersion rangeFixed in
sangomafreepbx<= 2.10
sangomafreepbx

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP GET requests to /recordings/misc/callme_page.php with 'action=c' and CRLF injection sequences (%0D%0A) in the callmenum parameter, particularly containing 'Application:%20system' and 'Data:' strings indicating Asterisk AMI command injection.
  • The exploit injects CRLF sequences into the callmenum parameter to manipulate the Asterisk Manager Interface (AMI) Originate command, injecting 'Application: system' and 'Data: <cmd>' headers. Monitor for %0D%0A or literal CRLF in callmenum GET parameter values.
  • The exploit payload uses a Perl reverse shell via 'perl -MIO -e' executed through the injected AMI system application. Monitor for perl reverse shell process spawned by the asterisk user (uid=100, gid=101).
  • Post-exploitation privilege escalation on Elastix uses 'sudo nmap --interactive' followed by '!sh' to obtain root. Monitor for nmap spawning a shell (child process /bin/sh) from the asterisk user.
  • The Metasploit module brute-forces extension numbers in a configurable range (default 0-100) via sequential GET requests. Detect rapid sequential requests to callme_page.php with incrementing numeric prefixes in the callmenum parameter.
  • ·Exploitation requires the call to be answered or go to voicemail; a live or voicemail-enabled extension must exist on the target system for the injected AMI Originate command to execute.
  • ·The vulnerability is pre-authenticated — no credentials are required to exploit it, as the callme_page.php endpoint does not enforce authentication before processing the callmenum parameter.
  • ·The exploit was tested and confirmed on both Elastix and FreePBX ISO image installs, meaning detection rules should cover both deployment types.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.