Security Notice: Critical FreePBX / PBXact RCE Vulnerability (ALL Versions)
On September 30th (October 1st in Japan), Schmooze developers announced that a critical vulnerability had been discovered in FreePBX, potentially affecting all current versions of the software.
This exploit allows users to bypass authentication and gain full “Administrator” access to the FreePBX / PBXact server when the ARI module is present, which may then be used to grant the attacker full remote code execution access as the user running the Apache process.
We have released updates for users on FreePBX versions 2.9, 2.10, 2.11 and 12 per our security policy which covers releases that have come out over the last 3.5 years. Versions 2.8 and prior can be easily updated to 2.9 or higher through Module Admin which will remove the vulnerability.
For more information on how to confirm if you have been affected by this vulnerability and how to resolve the issue, please follow the link above.
All server’s of current QLOOG customers were patched immediately following the announcement. Please be assured that you can continue to use your service as normal. Notifications were also been sent to all customers with support subscriptions, including Official FreePBX Support.
If you are unsure whether you have been affected by this vulnerability and require support, please contact us for more information.