CVE-2026-28284 is an authenticated SQL injection vulnerability classified under CWE-89, found in the security-reporting module of FreePBX, an open-source IP PBX system widely used for telephony management. The vulnerability exists in versions prior to 16.0.10 and 17.0.5, where the application fails to properly sanitize or neutralize special characters in SQL commands constructed from user input. This improper neutralization allows attackers with authenticated high-level privileges to inject arbitrary SQL code, potentially enabling unauthorized data access, modification, or deletion within the underlying database. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 4.0 base score of 8.6 reflects the ease of exploitation (low attack complexity), no need for user interaction, and the high impact on confidentiality, integrity, and availability of the system. Although no public exploits have been reported yet, the flaw poses a significant threat to organizations relying on vulnerable FreePBX versions for their telephony infrastructure. The issue was addressed in versions 16.0.10 and 17.0.5 by implementing proper input validation and sanitization to prevent SQL injection attacks.

The impact of this vulnerability is substantial for organizations using vulnerable FreePBX versions. Successful exploitation can lead to unauthorized access to sensitive telephony logs and configuration data, manipulation or deletion of critical database records, and potential disruption of telephony services. This can result in data breaches exposing call records, user credentials, or other confidential information, undermining organizational privacy and compliance requirements. Integrity of telephony data can be compromised, affecting billing, call routing, and security reporting accuracy. Availability may also be impacted if attackers execute destructive SQL commands or cause database corruption, leading to service outages. Given FreePBX's role in enterprise communications, such disruptions can affect business operations, customer service, and regulatory compliance. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak internal access controls or compromised credentials.

To mitigate this vulnerability, organizations should immediately upgrade FreePBX to versions 16.0.10 or 17.0.5 or later, where the issue is patched. If immediate upgrade is not feasible, restrict access to the security-reporting module to only trusted and necessary users with strong authentication mechanisms. Implement network segmentation and firewall rules to limit access to the FreePBX management interfaces. Conduct regular audits of user accounts and privileges to minimize the number of users with high-level access. Enable detailed logging and monitor database queries for unusual or suspicious activity indicative of SQL injection attempts. Employ Web Application Firewalls (WAFs) with SQL injection detection capabilities as an additional protective layer. Educate administrators on secure credential management and the risks of privilege escalation. Finally, maintain an incident response plan to quickly address any signs of compromise related to this vulnerability.