CVE-2026-28210 is an SQL injection vulnerability classified under CWE-89, found in the security-reporting component of the FreePBX cdr (Call Data Record) module. FreePBX is a widely used open source IP PBX system that manages telephony services. The vulnerability exists in versions prior to 16.0.49 and 17.0.7, where improper neutralization of special elements in SQL commands allows an attacker with high privileges to inject malicious SQL queries. This can lead to unauthorized data access, data manipulation, or disruption of database operations. The CVSS 4.0 base score is 8.6 (high), reflecting network attack vector, low attack complexity, no user interaction, but requiring high privileges. The vulnerability impacts confidentiality, integrity, and availability of the affected systems. Although no exploits have been observed in the wild yet, the flaw poses a significant risk due to the critical nature of telephony data and the potential for attackers to leverage this to compromise call records or system functionality. The issue has been patched in FreePBX versions 16.0.49 and 17.0.7, and users are strongly advised to upgrade.

The vulnerability allows attackers with high privileges to execute arbitrary SQL commands, potentially leading to unauthorized disclosure of sensitive call data records, modification or deletion of telephony data, and disruption of PBX services. This can result in loss of confidentiality of call logs, integrity violations through data tampering, and availability issues if the database or PBX service is destabilized. Organizations relying on FreePBX for critical communications could face operational disruptions, regulatory compliance issues related to data privacy, and reputational damage. The impact is particularly severe in environments where call data is sensitive or legally protected, such as government, healthcare, finance, and large enterprises. Since exploitation does not require user interaction and can be performed remotely over the network, the threat is significant for exposed or poorly segmented PBX deployments.

Organizations should immediately upgrade FreePBX installations to versions 16.0.49 or 17.0.7 or later to apply the official patches addressing this SQL injection vulnerability. In addition, restrict administrative access to the PBX system to trusted networks and users only, employing strong authentication and network segmentation to limit exposure. Regularly audit and monitor database queries and logs for suspicious activity indicative of injection attempts. Implement web application firewalls (WAFs) with rules targeting SQL injection patterns specific to FreePBX modules. Conduct thorough security assessments of PBX systems, including penetration testing focused on injection flaws. Maintain up-to-date backups of call data records and system configurations to enable recovery in case of compromise. Finally, educate system administrators on secure configuration and timely patch management practices for telephony infrastructure.