Cyber Posture

CVE-2026-28287

HighRCE

Published: 05 March 2026

Published
05 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28287 is a high-severity OS Command Injection (CWE-78) vulnerability in Sangoma Freepbx. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the command injection flaw through patching to FreePBX versions 16.0.20 or 17.0.5.

SI-10 Information Input Validation good match
prevent

Prevents command injection (CWE-78) in the recordings module by validating and sanitizing untrusted inputs to block arbitrary OS command execution.

AC-6 Least Privilege partial match
prevent

Limits damage from low-privilege (PR:L) exploitation by enforcing least privilege, restricting the scope of injected commands.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection vulnerability in FreePBX enables remote exploitation of the service for arbitrary Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.

Deeper analysisAI

CVE-2026-28287 involves multiple command injection vulnerabilities (CWE-78) in the recordings module of FreePBX, an open-source IP PBX software. The flaws affect versions from 16.0.17.2 up to but excluding 16.0.20, and from 17.0.2.4 up to but excluding 17.0.5.

The vulnerability carries a CVSS v3.1 base score of 8.8 (High), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. An attacker with low-privilege network access, such as an authenticated user, can exploit it remotely with low complexity and no user interaction required. Successful exploitation enables arbitrary command execution, leading to high impacts on confidentiality, integrity, and availability of the affected system.

The FreePBX security advisory (GHSA-9vv6-h8v6-rp4q) at https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9vv6-h8v6-rp4q confirms the issue and states that it has been patched in FreePBX versions 16.0.20 and 17.0.5. Administrators should prioritize upgrading to these versions for mitigation.

Details

CWE(s)
CWE-78

Affected Products

sangoma
freepbx
16.0.17.2 — 16.0.20 · 17.0.2.4 — 17.0.5

CVEs Like This One

CVE-2026-28209Same product: Sangoma Freepbx
CVE-2024-58294Same product: Sangoma Freepbx
CVE-2025-57819Same product: Sangoma Freepbx
CVE-2025-55210Same product: Sangoma Freepbx
CVE-2025-66039Same product: Sangoma Freepbx
CVE-2026-28210Same product: Sangoma Freepbx
CVE-2026-28284Same product: Sangoma Freepbx
CVE-2025-64328Same vendor: Sangoma
CVE-2025-11142Shared CWE-78
CVE-2025-56089Shared CWE-78

References