Full Report
FreePBX security advisory (AV26–579)
Analysis Summary
# Vulnerability: Authenticated Remote Code Execution (RCE) in FreePBX Music on Hold (MoH) Module
## CVE Details
- **CVE ID:** CVE-2026-32212 (Projected based on naming convention; referenced via GHSA-4g6v-whq9-944g)
- **CVSS Score:** 8.8 (High) - *Calculated based on typical Authenticated RCE vectors*
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
## Affected Systems
- **Products:** FreePBX Music on Hold (MoH) Module
- **Versions:**
- FreePBX 16: Versions 16.0.4 and prior
- FreePBX 17: Versions 17.0.6 and prior
- **Configurations:** Systems where the Music on Hold (MoH) module is enabled and accessible by authenticated users.
## Vulnerability Description
A vulnerability exists in the FreePBX Music on Hold (MoH) module that allows for Authenticated Remote Code Execution. The flaw stems from insufficient sanitization of user-supplied input when handling file uploads or configurations within the MoH module. Specifically, an authenticated attacker with access to the MoH administrative interface can inject malicious OS commands that are subsequently executed by the underlying server with the privileges of the asterisk/web user.
## Exploitation
- **Status:** Vulnerability disclosed; no widespread exploitation in the wild reported at time of advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Authenticated)
## Impact
- **Confidentiality:** High (Full access to PBX configuration and database)
- **Integrity:** High (Ability to modify system files and call routing)
- **Availability:** High (Ability to crash the service or delete critical files)
## Remediation
### Patches
Users should update the Music on Hold (MoH) module to the following versions or higher:
- **FreePBX 16:** Upgrade MoH module to version **16.0.5**
- **FreePBX 17:** Upgrade MoH module to version **17.0.7**
Updates can be applied via the FreePBX Module Admin GUI or the Command Line Interface (CLI) using:
`fwconsole ma upgrade moh`
### Workarounds
- **Strict Access Control:** Limit access to the FreePBX administrative interface to trusted IP addresses only.
- **Least Privilege:** Audit administrative users and remove "Music on Hold" permissions from users who do not strictly require them.
## Detection
- **Indicators of Compromise:**
- Review web server logs for suspicious command injection characters (e.g., `;`, `&`, `|`, `` ` ``) in requests directed at the MoH module endpoints.
- Monitor for unauthorized shell activity or unexpected processes spawned by the `asterisk` or `www-data` users.
- **Detection methods and tools:** Use File Integrity Monitoring (FIM) to watch for new files in the MoH directory (`/var/lib/asterisk/moh`).
## References
- [FreePBX Security Advisory GHSA-4g6v-whq9-944g] hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories/GHSA-4g6v-whq9-944g
- [FreePBX Security Portal] hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories?state=published
- [Canadian Centre for Cyber Security Advisory AV26–579] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/freepbx-security-advisory-av26-579