CVE-2022-28055
Published: 04 May 2022
Summary
CVE-2022-28055 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fusionpbx Fusionpbx. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
FusionPBX versions 4.4 and earlier contain a command-injection flaw (CWE-78) in the download-email-logs feature. The vulnerability is reachable over the network without authentication and carries a CVSS 3.1 base score of 9.8, reflecting the ability to execute arbitrary operating-system commands with the privileges of the web-server process.
An unauthenticated remote attacker can supply crafted input to the affected endpoint and obtain code execution, resulting in full confidentiality, integrity, and availability impact on the underlying system. Because the vector requires no user interaction or credentials, automated scanning or direct exploitation from the public Internet is feasible.
The referenced commits in the FusionPBX repository (4e260b170e17705c4c9ccf787be7711b63a40868) implement the corrective changes; administrators should apply the corresponding patch or upgrade to a later release that contains the fix.
EPSS for the CVE has remained flat at 0.0533 with no material increase after disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32541
Vulnerability details
Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.