CVE-2026-28287 is an OS command injection vulnerability identified in the recordings module of FreePBX, an open-source IP PBX platform widely used for telephony management. The vulnerability exists in FreePBX versions 16.0.17.2 through 16.0.19.x and 17.0.2.4 through 17.0.4.x. It arises due to improper neutralization of special elements in OS commands (CWE-78), allowing an attacker with high privileges to inject and execute arbitrary operating system commands. The vulnerability does not require user interaction but does require the attacker to have high-level privileges on the system, which could be obtained through other means or insider access. The CVSS 4.0 base score is 8.6, reflecting a high severity with network attack vector, low attack complexity, no privileges required for attack initiation (though the vector states PR:H, meaning privileges are required), and no user interaction. The impact on confidentiality, integrity, and availability is high, as arbitrary command execution can lead to full system compromise, data exfiltration, service disruption, or lateral movement within the network. The vulnerability has been patched in FreePBX versions 16.0.20 and 17.0.5. No public exploits or active exploitation in the wild have been reported yet. Given FreePBX's role in telephony infrastructure, exploitation could disrupt critical communications and expose sensitive call data.

The impact of CVE-2026-28287 is significant for organizations using vulnerable FreePBX versions. Successful exploitation allows attackers to execute arbitrary OS commands with high privileges, potentially leading to full system compromise. This can result in unauthorized access to sensitive call recordings, interception or manipulation of telephony services, disruption of voice communications, and pivoting to other internal systems. For enterprises relying on FreePBX for critical communication, this could cause operational downtime, data breaches, and reputational damage. The vulnerability's network accessibility increases the attack surface, especially if administrative interfaces are exposed externally. Additionally, compromised PBX systems can be leveraged for fraud, such as unauthorized call routing or toll fraud, increasing financial risk. The absence of known exploits currently provides a window for remediation, but the high severity demands urgent attention to prevent future attacks.

1. Immediately upgrade FreePBX installations to versions 16.0.20 or 17.0.5 or later, where the vulnerability is patched. 2. Restrict administrative access to the FreePBX interface using network segmentation, VPNs, and strict firewall rules to limit exposure to trusted IP addresses only. 3. Enforce strong authentication and authorization controls to prevent privilege escalation that could enable exploitation. 4. Regularly audit user accounts and permissions to ensure only necessary high-privilege access is granted. 5. Monitor system and application logs for unusual command execution or access patterns indicative of exploitation attempts. 6. Implement intrusion detection/prevention systems (IDS/IPS) tuned to detect suspicious activity related to FreePBX. 7. Consider deploying application-layer firewalls or web application firewalls (WAF) to filter malicious input targeting the recordings module. 8. Educate administrators on the risks of OS command injection and the importance of timely patching. 9. If immediate patching is not feasible, disable or restrict access to the recordings module temporarily as a stopgap measure. 10. Maintain regular backups of PBX configurations and recordings to enable recovery in case of compromise.