Page tree
Skip to end of metadata
Go to start of metadata



Remote execution vulnerabilities have been discovered in the "voicemail , core , sms and pms " modules for the FreePBX 13+ Systems.

Discovered Bythongvv3 from Viettel Cyber Security


  • CVSS Base Score: 8.8

  • Impact Subscore: 5.9

  • Exploitability Subscore: 2.8

  • CVSS Temporal Score: 8.4

  • CVSS Environmental Score: 6.0

  • Modified Impact Subscore: 3.5

  • Overall CVSS Score: 6.0

Vulnerable software and versions:

The following versions has the fix: 

FreePBX 13 -

  • > Core v13.0.132
  • > PMS v13.0.3

FreePBX 14 -

  • > Core v14.0.29
  • > Voicemail v14.0.7

  • > PMS v14.0.3

  • > SMS v14.0.5

FreePBX 15 -

  • > Core v15.0.22
  • > Voicemail v15.0.23

  • > PMS v15.0.3

  • > SMS v15.0.27

FreePBX 16 -

  • > Core v16.0.63
  • > Voicemail v16.0.38

  • > PMS v16.0.18

  • > SMS v16.0.13

Related Information

Internal use:   FREEI-4350

Further Details:

A Remote Code Evaluation is a vulnerability that can be exploited if user input is injected into a File or a String and executed by the programming language's parser. Usually this behavior is not intended by the developer of the web application. A Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also web server. 

Remote execution vulnerabilities exist in the affected modules where its allowing to upload the any type of files (e.g. php file with shell commands in it) which potentially allowing an RCE , so to prevent this we are validating against uploaded file extension and allowing only supported formats. 

The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX Distro to upgrade to the latest versions noted above. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at [email protected]

  • No labels