CVE-2024-47071 is a CWE-22 path traversal vulnerability affecting the OSS Endpoint Manager module of FreePBX, a widely used open-source IP telephony system. The vulnerability exists because the module does not properly restrict pathname inputs, allowing authenticated web users to manipulate file paths and access files outside the intended directory boundaries. This can lead to unauthorized reading of arbitrary system files with the privileges of the webserver process, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability requires the attacker to be authenticated and to interact with the web interface, limiting the attack surface somewhat. The CVSS 3.1 base score is 6.8, reflecting a network attack vector with low attack complexity, requiring privileges and user interaction, and resulting in high confidentiality impact but no impact on integrity or availability. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module. The issue was publicly disclosed on October 1, 2024, and fixed in version 14.0.4 of the OSS Endpoint Manager module. No known exploits have been reported in the wild, but the vulnerability's nature makes it a significant risk for organizations relying on FreePBX for telephony services, especially if the web interface is exposed or accessible internally by many users.

For European organizations, the primary impact is unauthorized disclosure of sensitive system files, which could include configuration files, credentials, or other sensitive data critical to telephony infrastructure security. This could lead to further targeted attacks, such as credential theft or lateral movement within the network. Since FreePBX is commonly used in enterprise telephony systems across Europe, especially in sectors like telecommunications, finance, and government, the confidentiality breach could have serious operational and regulatory consequences, including GDPR violations if personal data is exposed. The vulnerability does not allow modification or denial of service, so operational disruption risk is low. However, the exposure of sensitive files could facilitate subsequent attacks that compromise system integrity or availability. The requirement for authentication limits exposure to internal or semi-trusted users, but insider threats or compromised accounts could exploit this vulnerability. Organizations with exposed or poorly segmented FreePBX web interfaces are at higher risk.

European organizations should immediately upgrade the OSS Endpoint Manager module to version 14.0.4 or later, where the vulnerability is fixed. If immediate patching is not possible, restrict access to the FreePBX web interface using network segmentation, firewall rules, or VPN access to limit authenticated users to trusted personnel only. Implement strong authentication mechanisms and monitor user activity for suspicious behavior. Review and harden webserver permissions to minimize the impact of potential file disclosures. Conduct regular audits of FreePBX configurations and logs to detect unauthorized access attempts. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal attempts. Educate administrators and users about the risks of credential compromise and enforce strict password policies. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.