CVE-2026-28209 is an OS command injection vulnerability classified under CWE-78, found in the FreePBX open-source IP PBX system's security-reporting module. Specifically, the issue arises when the ElevenLabs Text-to-Speech (TTS) engine is used within the recordings module. The vulnerability exists in FreePBX versions from 16.0.17.2 up to but not including 16.0.20, and from 17.0.2.4 up to but not including 17.0.5. The root cause is improper neutralization of special characters in input passed to OS commands, allowing an attacker with high-level privileges to inject and execute arbitrary commands on the underlying operating system. The CVSS v4.0 score is 7.5, indicating high severity, with attack vector being network-based, low attack complexity, and requiring privileged authentication but no user interaction. The vulnerability impacts confidentiality, integrity, and availability with high scope and impact. Although no exploits have been reported in the wild, the presence of this flaw in widely deployed FreePBX versions poses a significant risk. The vendor has released patches in versions 16.0.20 and 17.0.5 to remediate the issue.

If exploited, this vulnerability could allow an attacker with authenticated high privileges to execute arbitrary OS commands on the FreePBX server. This can lead to full system compromise, including unauthorized access to sensitive call data, interception or manipulation of telephony traffic, disruption of telephony services, and potential lateral movement within the network. The impact extends to confidentiality breaches, integrity violations by altering system or call data, and availability disruption through service outages or denial of service. Organizations relying on FreePBX for critical telephony infrastructure, especially those using the ElevenLabs TTS engine, face risks of operational downtime, data leakage, and reputational damage. The requirement for privileged authentication limits exposure but does not eliminate risk, as insider threats or compromised credentials could be leveraged. The lack of known exploits in the wild provides a window for remediation before widespread attacks occur.

Organizations should immediately upgrade FreePBX to versions 16.0.20 or 17.0.5 or later where the vulnerability is patched. If immediate upgrade is not feasible, disable the ElevenLabs Text-to-Speech engine in the recordings module to prevent exploitation. Implement strict access controls and monitoring to limit and detect privileged user activities. Employ network segmentation to isolate FreePBX servers from untrusted networks and reduce attack surface. Regularly audit authentication logs for suspicious access patterns. Additionally, apply input validation and sanitization controls where possible, and consider deploying host-based intrusion detection systems (HIDS) to detect anomalous command executions. Maintain up-to-date backups of telephony configurations and recordings to enable rapid recovery. Finally, educate administrators about the risks of command injection and the importance of credential security.