CVE-2024-58294

CVE Database · CVE-2024-58294

CVE-2024-58294

· HIGHAnalyzed

CVSS v3.1

8.8

CVSS v4.0

8.7

EPSS

3.12%

Published

Dec 11, 2025

Modified

Dec 15, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78

Affected Products (1)

sangoma · freepbxvulnerable

References (4)

https://www.exploit-db.com/exploits/52031

ExploitThird Party AdvisoryVDB Entry

https://www.freepbx.org/

Product

https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module

Third Party Advisory

https://www.youtube.com/watch?v=rqFJ0BxwlLI

Exploit

KEV Catalog EPSS Scores Vendors All CVEs