HIGH 8.8

CVE-2026-44239: FreePBX Path Traversal Remote Code Execution (8.8 HIGH)

FreePBX, a widely deployed open-source phone system platform, contains a path traversal vulnerability in its Dashboard module that allows authenticated users to execute arbitrary PHP code. By manipulating a parameter in a web request, an attacker can bypass normal file access restrictions and cause the system to load and execute specially-named PHP files from unexpected locations on the server. This is a serious issue because it grants code execution to any user with valid login credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-98
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The Dashboard module's getcontent AJAX handler concatenates the user-supplied $_REQUEST['rawname'] parameter directly into an include() statement with a .class.php suffix, creating a classic path traversal vulnerability. An attacker can inject ../ sequences to traverse the filesystem and specify arbitrary .class.php files for inclusion. Since PHP code in the included file is executed during the include operation, arbitrary code execution occurs before any subsequent class instantiation error. The vulnerability affects FreePBX versions prior to 16.0.22 and 17.0.5. The vector requires network access and valid authentication (PR:L), making this a post-authentication remote code execution flaw.

Business impact

Compromise of a FreePBX instance through this vulnerability grants an authenticated attacker full server code execution, potentially leading to theft of call records and voicemail, manipulation of call routing, deployment of malware, lateral movement into the corporate network, or complete system takeover. For organizations relying on FreePBX for unified communications, this represents a critical availability and confidentiality risk. Even with the authentication requirement, insider threats or compromised user credentials significantly lower the barrier to exploitation.

Affected systems

FreePBX versions 16.x prior to 16.0.22 and 17.x prior to 17.0.5 are vulnerable. Organizations should verify their exact installed version. The vulnerability affects the Dashboard module specifically, so systems with the Dashboard module active are at risk. Any deployment where untrusted or insufficiently privileged users have FreePBX login access should be considered vulnerable if unpatched.

Exploitability

Exploitability is high despite the authentication requirement. The attack surface is the getcontent AJAX endpoint, which does not require administrative privileges—any authenticated user can trigger it. No user interaction is needed (UI:N), and the attack is network-accessible (AV:N) with low attack complexity (AC:L). An attacker need only send a crafted HTTP request with a malicious rawname parameter. Proof-of-concept exploitation is straightforward for anyone with basic familiarity with path traversal and PHP execution contexts.

Remediation

Upgrade FreePBX to version 16.0.22 or later if on the 16.x branch, or to version 17.0.5 or later if on the 17.x branch. Verify the installed version before patching to ensure the upgrade targets the correct branch. After patching, restart the FreePBX service and confirm the Dashboard module is functioning correctly. As an interim measure, restrict network access to the FreePBX web interface using firewall rules or VPN to limit exposure to authenticated users within controlled networks only.

Patch guidance

Check your current FreePBX version via the System Administration > Module Admin interface or by querying the system directly. For version 16.x systems, apply the 16.0.22 update or later. For version 17.x systems, apply the 17.0.5 update or later. Consult the official Sangoma FreePBX security advisory and release notes to verify patch availability for your branch and installation method (source, distro packages, or cloud deployment). Test patches in a non-production environment first to ensure compatibility with local customizations or third-party modules.

Detection guidance

Monitor web server access logs for POST requests to the getcontent AJAX handler containing the rawname parameter with ../ sequences or unusual file paths. Watch for HTTP requests that include directory traversal patterns in request parameters. Inspect FreePBX application logs for unexpected class instantiation errors or PHP warnings that may indicate exploitation attempts. Configure intrusion detection rules to flag requests containing multiple consecutive ../ patterns in URL parameters. Endpoint detection and response (EDR) solutions should alert on unexpected PHP process spawning or file access originating from the web server process.

Why prioritize this

The CVSS 8.8 HIGH severity, combined with post-authentication remote code execution capability and widespread FreePBX deployment in small-to-medium business environments, warrants immediate attention. The low attack complexity and lack of user interaction make this highly exploitable by anyone with valid credentials. Organizations should prioritize patching based on network exposure and the sensitivity of communications data stored in their FreePBX instance.

Risk score, explained

The 8.8 score reflects the combination of high confidentiality, integrity, and availability impact (C:H, I:H, A:H) achievable through remote code execution, network accessibility (AV:N), and low complexity (AC:L). The requirement for prior authentication (PR:L) prevents a 9.0+ critical rating, but this should not provide false confidence—the authentication barrier is often easily overcome through compromised credentials, social engineering, or insider threats. The unified scope (S:U) indicates the compromise is limited to the vulnerable FreePBX system itself, though that system's role in communications infrastructure could indirectly affect other assets.

Frequently asked questions

Do I need administrative privileges to exploit this vulnerability?

No. Any user with valid FreePBX login credentials can exploit this flaw, including standard users with limited privileges. This significantly lowers the barrier to exploitation compared to vulnerabilities requiring admin-level access.

What is the difference between versions 16.0.22 and 17.0.5—which should I upgrade to?

FreePBX maintains multiple release branches for stability. Version 16.x is an earlier stable branch and 17.x is a newer release. Organizations should upgrade to the appropriate fixed version within their current branch (16.0.22 if using 16.x, or 17.0.5 if using 17.x). Consult Sangoma's upgrade documentation before moving between major branches.

Can this vulnerability be exploited without network access to the FreePBX web interface?

No. The vulnerability requires network access to the FreePBX web interface via HTTP/HTTPS and valid authentication credentials. Network segmentation and firewall rules that restrict access to the FreePBX web portal reduce exposure significantly.

What PHP files could an attacker include and execute?

An attacker can include any .class.php file readable by the web server process. This could include FreePBX module files, third-party extensions, or potentially world-readable system PHP files. The scope of exploitable targets depends on the filesystem permissions and installed modules in each environment.

This analysis is provided for informational purposes and reflects publicly available information regarding CVE-2026-44239 as of the publication date. Security assessments should be tailored to your specific environment. Consult official Sangoma FreePBX security advisories for authoritative guidance on affected versions, patches, and remediation steps. Verify all patch version numbers and availability before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends independent security validation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).