Critical Zero-Day Vulnerability in FreePBX Allows Unauthenticated RCE (CVSS 10)

FreePBX has disclosed a critical vulnerability with a CVSS score of 10, allowing unauthenticated remote code execution (RCE). This vulnerability is particularly severe as it enables attackers to execute arbitrary code on affected systems without requiring any credentials. The vulnerability is classified as a zero-day, suggesting that it may already be exploited in the wild. Immediate action is required, and users are strongly advised to update their FreePBX installations to the latest patched version without delay. The potential impact of this vulnerability is significant, especially for organizations that rely on FreePBX for their VoIP communications. Exploitation could lead to complete system compromise, eavesdropping, call interception, or further network infiltration. This incident highlights the critical importance of robust patch management processes and network segmentation to limit exposure. Organizations should also implement monitoring and detection mechanisms to identify any signs of compromise. If immediate patching is not feasible, additional security controls should be applied to mitigate risk. This vulnerability serves as a stark reminder of the ongoing threats to VoIP systems and the necessity of maintaining up-to-date security measures.