CVE-2026-28287 is an OS command injection vulnerability categorized under CWE-78, found in the recordings module of FreePBX, an open-source IP PBX system widely used for telephony management. The vulnerability exists in FreePBX versions from 16.0.17.2 up to but not including 16.0.20, and from 17.0.2.4 up to but not including 17.0.5. The root cause is improper neutralization of special elements in OS commands, allowing an attacker with high privileges to inject and execute arbitrary commands on the underlying operating system. The CVSS v4.0 base score is 8.6, indicating a high severity level. The attack vector is network-based with low attack complexity, no user interaction, and no privileges required beyond high-level access, which typically means administrative or root privileges on the PBX system. The vulnerability impacts confidentiality, integrity, and availability, as arbitrary command execution can lead to data theft, system manipulation, or denial of service. Although no known exploits are currently reported in the wild, the presence of this vulnerability in critical telephony infrastructure poses a significant risk. The issue has been addressed in FreePBX versions 16.0.20 and 17.0.5, where proper input sanitization and command handling have been implemented to prevent injection.

The exploitation of CVE-2026-28287 can have severe consequences for organizations relying on FreePBX for their telephony infrastructure. Successful command injection can lead to full system compromise, allowing attackers to execute arbitrary commands with high privileges. This can result in unauthorized access to sensitive call recordings, interception or manipulation of telephony data, disruption of voice services, and potential lateral movement within the network. The confidentiality of communications and recordings can be breached, integrity of the PBX system and its configurations can be altered, and availability of telephony services can be disrupted, impacting business operations. Given the critical role of PBX systems in enterprise communications, such an attack could cause significant operational downtime, financial loss, and reputational damage. The risk is heightened in environments where FreePBX is exposed to untrusted networks or where administrative access controls are weak.

To mitigate CVE-2026-28287, organizations should immediately upgrade FreePBX installations to versions 16.0.20 or 17.0.5 or later, where the vulnerability has been patched. In addition to patching, restrict administrative access to the PBX system by implementing strong authentication mechanisms, such as multi-factor authentication and IP whitelisting for management interfaces. Network segmentation should be employed to isolate PBX systems from general user networks and the internet, reducing exposure to potential attackers. Regularly audit and monitor PBX logs for unusual command execution or access patterns indicative of exploitation attempts. Disable or limit unnecessary modules and services within FreePBX to reduce the attack surface. Employ host-based intrusion detection systems (HIDS) to detect anomalous system commands or processes. Finally, maintain an up-to-date inventory of PBX versions deployed and establish a patch management process to promptly address future vulnerabilities.