CVE-2026-28209 is an OS command injection vulnerability classified under CWE-78 found in the FreePBX open-source IP PBX system, specifically within its security-reporting module when integrated with the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. The vulnerability exists in FreePBX versions 16.0.17.2 through 16.0.19.x and 17.0.2.4 through 17.0.4.x. It arises because the application fails to properly sanitize or neutralize special characters or elements in user-supplied input that is passed to operating system commands. This improper neutralization allows an attacker with authenticated high-level privileges to inject and execute arbitrary OS commands on the underlying server. The vulnerability does not require user interaction beyond authentication but does require privileges, limiting exploitation to authorized users or those who can escalate privileges. The impact spans confidentiality, integrity, and availability, as arbitrary command execution can lead to data theft, system compromise, or denial of service. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial authentication required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported, the presence of this vulnerability in widely deployed FreePBX versions presents a significant risk. The issue has been addressed and patched in FreePBX versions 16.0.20 and 17.0.5, and users are strongly advised to upgrade to these or later versions.

The vulnerability allows an authenticated user with high privileges to execute arbitrary OS commands, potentially leading to full system compromise. This can result in unauthorized access to sensitive call data, interception or manipulation of telephony functions, disruption of voice services, and potential lateral movement within the network. Organizations relying on FreePBX for critical telephony infrastructure may face service outages, data breaches, and reputational damage. Given FreePBX's widespread use in enterprises, call centers, and government agencies, exploitation could disrupt business communications and expose confidential information. The requirement for authentication limits remote exploitation by unauthenticated attackers but does not eliminate risk from insider threats or compromised credentials. The high impact on confidentiality, integrity, and availability underscores the critical nature of timely patching.

1. Immediately upgrade FreePBX installations to version 16.0.20 or 17.0.5 or later to apply the official patches addressing this vulnerability. 2. Restrict access to the FreePBX administrative interface to trusted networks and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 3. Monitor system logs and command execution traces for unusual activity indicative of command injection attempts or unauthorized access. 4. Implement network segmentation to isolate telephony infrastructure from general user networks, limiting lateral movement if compromise occurs. 5. Regularly audit user privileges and remove unnecessary high-level access to minimize the number of users who can exploit this vulnerability. 6. Consider deploying application-layer firewalls or intrusion detection/prevention systems capable of detecting command injection patterns targeting FreePBX. 7. Maintain up-to-date backups of configuration and call data to enable rapid recovery in case of compromise.