Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.
AnalysisAI
Remote code execution in FreePBX versions below 16.0.71 and 17.0.6 allows authenticated low-privileged users with backup access to execute arbitrary PHP code by uploading a malicious tar archive containing a crafted manifest file. The backup module passes attacker-controlled data directly to PHP's unserialize() without class restrictions, enabling PHP object injection that runs as the asterisk or www-data web server user. No public exploit identified at time of analysis, though the upstream fix commits are public on GitHub, making patch-diff exploitation feasible.
Technical ContextAI
FreePBX is a widely deployed open-source web GUI for managing Asterisk-based VoIP PBX systems. The vulnerability sits in the backup module's BackupSplFileInfo model (Models/BackupSplFileInfo.php), where the getMetadata() function reads manifest data extracted from a user-supplied tar backup archive and passes it directly to PHP's unserialize(). This is a textbook CWE-502 (Deserialization of Untrusted Data) flaw: PHP's native unserialize() reconstructs objects of any class present in the application's autoloader, allowing magic methods such as __wakeup() and __destruct() to be invoked on attacker-controlled property values, which is the standard primitive for PHP object injection (POI) chains leading to RCE. The upstream patch (commits 45c57e12 and 64781af5) switches the manifest parser to json_decode() first and only falls back to unserialize() with the 'allowed_classes' => false flag, plus a strict is_array() check - preventing arbitrary class instantiation entirely.
RemediationAI
Vendor-released patch: upgrade to FreePBX backup module 16.0.71 or 17.0.6 (per the GHSA-5v7h-49gr-jcwr advisory and fix commits 45c57e1207cbf9fd1c5f76f8a3e72d204a69a472 and 64781af5c80cce0cff21a981be4d8e6a7a71f2c4 in github.com/FreePBX/backup). Until patching is possible, restrict access to the backup/restore functionality by limiting which administrative roles can perform restores and by auditing/removing accounts that have backup permissions but do not need them, accepting the trade-off that legitimate restore workflows for those users will break. Place the FreePBX admin UI behind a VPN or IP allowlist to remove network reachability for unauthenticated and untrusted networks (side effect: remote administrators must use the VPN). Treat any tar backup archive of unknown provenance as untrusted and avoid performing restore operations from third-party or untrusted-source backups until patched.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30810