Remote Command Execution Vulnerability in FreePBX Products by Sangoma
CVE-2012-4869

Currently unrated

Key Information:

Vendor

Sangoma

Status
Freepbx
Vendor
CVE Published:
6 September 2012

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 85%

What is CVE-2012-4869?

The callme_startcall function in the recordings/misc/callme_page.php file of FreePBX versions 2.9, 2.10, and earlier exposes a significant security risk. This vulnerability allows remote attackers to execute arbitrary commands through manipulation of the callmenum parameter in a specific action. By exploiting this flaw, an attacker can gain unauthorized control over the affected system, potentially leading to further compromise. It is crucial for users of affected FreePBX versions to apply the necessary patches and consider security best practices to safeguard their systems.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2012-4869 - Proof of Concept

Elastix-Remote-Code-Execution
Created by bitc0de

CVE-2012-4869
Created by 0xConstant

References

http://www.exploit-db.com/exploits/18649
exploitx_refsource_EXPLOIT-DB
http://www.exploit-db.com/exploits/18659
exploitx_refsource_EXPLOIT-DB
http://packetstormsecurity.org/files/111028/FreePBX-2.10....
x_refsource_MISC

EPSS Score

85% chance of being exploited in the next 30 days.

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.