Cyber Resilience

CVE-2022-28055

CriticalRCE

Published: 04 May 2022

Published
04 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0533 90.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28055 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fusionpbx Fusionpbx. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

FusionPBX versions 4.4 and earlier contain a command-injection flaw (CWE-78) in the download-email-logs feature. The vulnerability is reachable over the network without authentication and carries a CVSS 3.1 base score of 9.8, reflecting the ability to execute arbitrary operating-system commands with the privileges of the web-server process.

An unauthenticated remote attacker can supply crafted input to the affected endpoint and obtain code execution, resulting in full confidentiality, integrity, and availability impact on the underlying system. Because the vector requires no user interaction or credentials, automated scanning or direct exploitation from the public Internet is feasible.

The referenced commits in the FusionPBX repository (4e260b170e17705c4c9ccf787be7711b63a40868) implement the corrective changes; administrators should apply the corresponding patch or upgrade to a later release that contains the fix.

EPSS for the CVE has remained flat at 0.0533 with no material increase after disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fusionpbx
fusionpbx
≤ 4.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References