QwikSec

Security Database

CVE

CWE

Training

CVE-2024-58294

Published: Dec 11, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

Vendor	Product	Versions
FreePBX	FreePBX	affected `16`

Weaknesses (CWE)

References

ExploitDB-52031

exploit

Official Product Homepage

product

Original Video Link

product

VulnCheck Advisory: FreePBX 16 Authenticated Remote Code Execution via API Module

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.