CVE-2026-28287
published 2026-03-05CVE-2026-28287: FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
8.49%
94.4th percentile
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freepbx | security-reporting | — | — |
| freepbx | security-reporting | — | — |
| sangoma | freepbx | >= 16.0.17.2 < 16.0.20 | 16.0.20 |
| sangoma | freepbx | >= 17.0.2.4 < 17.0.5 | 17.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
pathRecordings.class.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Recordings.class.php file Parameter Command Injection Attempt (CVE-2026-28287)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/admin/ajax.php"; http.request_body; content:"file|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"command|3d|"; pcre:"/^(?:convert|gethtml5)/R"; content:"module|3d|recordings"; fast_pattern; reference:url,attackerkb.com/topics/i5qGi63oCf/cve-2026-28287; reference:cve,2026-28287; classtype:attempted-admin; sid:2068314; rev:1;)
- →Inspect the `file` parameter in the POST body for shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — these are the injection vectors.
- →The `command` parameter in the POST body must be either `convert` or `gethtml5` for the vulnerable code path to be triggered.
- →Detection applies to plaintext (non-TLS) traffic at the network perimeter and internally; the attack targets the destination IP (FreePBX server).
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190) — prioritize alerting on internet-exposed FreePBX admin interfaces.
- ·Vulnerable versions are FreePBX 16.0.17.2 to before 16.0.20 and 17.0.2.4 to before 17.0.5. Patched versions are 16.0.20 and 17.0.5 — scope detection rules to unpatched instances.
- ·The Snort/Suricata rule (SID 2068314) uses a fixed URI bsize of 15 bytes for /admin/ajax.php — ensure your IDS/IPS does not normalize or truncate URIs before inspection, or the length check may fail.
- ·The rule only covers plaintext HTTP traffic; HTTPS-wrapped FreePBX admin interfaces will not be detected without SSL/TLS inspection enabled on the sensor.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET WEB_SPECIFIC_APPS FreePBX Recordings.class.php file Parameter Command Injection Attempt (CVE-2026-28287)
suricata·2026-03-17·CVSS 8.6
CVE-2026-28287 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Recordings.class.php file Parameter Command Injection Attempt (CVE-2026-28287)
ET WEB_SPECIFIC_APPS FreePBX Recordings.class.php file Parameter Command Injection Attempt (CVE-2026-28287)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Recordings.class.php file Parameter Command Injection Attempt (CVE-2026-28287)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/admin/ajax.php"; http.request_body; content:"file|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; content:"command|3d|"; pcre:"/^(?:convert|gethtml5)/R"; content:"module|3d|recordings"; fast_pattern; reference:url,attackerkb.com/topics/i5qGi63oCf/cve-2026-28287; reference:cve,2026-28287; classtype:attempted-admin; sid:2068314; rev:1; metadata:attack_target Networking_Equipment, tls_sta
No public exploits indexed.
No writeups or analysis indexed.
2026-03-05
Published