FreePBX Recordings Backdoor Upload

Added: 10/14/2016


FreePBX is a web-based open-source graphical user interface used to manage Asterisk PBX, an open-source communication server. The FreePBX System Recordings module allows playback of recorded files.


The System Recordings module in FreePBX 13 and 14 is vulnerable to remote command execution with privilege escalation due to a failure to require authentication for certain Ajax requests when requesting files. FreePBX System Recordings module versions between August 2015 (13.0.1beta1) and August 2016 (13.0.26) are affected.


Upgrade your System Recordings module to Recordings 13.0.27 or higher. If you are unable to upgrade, do not allow access to the Admin interface from the internet.



Exploit works on FreePBX 10.13.66.
Back to exploit index