CVE-2026-28284 identifies an authenticated SQL injection vulnerability in the FreePBX open-source IP PBX system's security-reporting module, specifically in versions before 16.0.10 and 17.0.5. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), allowing an attacker with authenticated access and high privileges to inject arbitrary SQL code into database queries. This flaw exists in the logfiles module, which handles security reporting data. Because the vulnerability requires authentication but no additional user interaction, an attacker who has gained administrative or equivalent access can exploit it to manipulate the underlying database. Potential exploitation scenarios include unauthorized extraction of sensitive call logs, modification or deletion of records, or disruption of system operations. The CVSS 4.0 base score is 8.6, reflecting network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the critical nature of PBX systems in enterprise communications. The issue has been addressed in FreePBX versions 16.0.10 and 17.0.5, which include patches to properly sanitize SQL inputs and prevent injection attacks.

The impact of CVE-2026-28284 is substantial for organizations relying on FreePBX for telephony and unified communications. Successful exploitation can lead to unauthorized disclosure of sensitive call logs and security reports, potentially exposing confidential communications metadata. Attackers could also alter or delete critical data, undermining the integrity of security monitoring and incident response capabilities. Furthermore, manipulation of database records could disrupt PBX operations, causing denial of service or degraded call handling performance, impacting business continuity. Given that PBX systems often serve as communication backbones in enterprises, government agencies, and service providers, the compromise could facilitate further lateral movement or espionage. The requirement for authenticated access limits exposure to insiders or attackers who have already breached perimeter defenses, but the low complexity and high impact make this vulnerability a serious threat. Organizations that fail to patch may face data breaches, operational outages, and regulatory compliance violations related to data protection.

To mitigate CVE-2026-28284, organizations should immediately upgrade FreePBX to versions 16.0.10 or 17.0.5 or later, where the vulnerability is patched. Until upgrades are applied, restrict access to the FreePBX administrative interface to trusted personnel only, using network segmentation, VPNs, or IP whitelisting. Implement strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of credential compromise. Regularly audit user accounts and privileges to ensure only necessary users have high-level access. Monitor FreePBX logs for unusual activity indicative of attempted SQL injection or unauthorized database queries. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the PBX interface. Additionally, maintain up-to-date backups of PBX configurations and call logs to enable recovery in case of data tampering or loss. Finally, educate administrators about the risks of SQL injection and the importance of applying security patches promptly.