Security announcement: FreePBX Vulnerability Patch

Posted on April 8, 2014 by Andrea Mocherman

If you’re using FreePBX, there’s a good chance you need to secure it.


There’s a vulnerability in the Framework Module for FreePBX versions 2.9 and above. Your SIP trunking credentials may be compromised. The vulnerability notice is documented in FreePBX Ticket 7123 which states that, “config.php has a remote command execution vulnerability which is available without proper authentication.”

The vulnerability has been resolved in the latest release of FreePBX. So, if you are using FreePBX version 2.9 or above, you should make sure your FreePBX is updated to the latest version so that you’re protected from the threat. Lock down your account by following the steps found here.

If you’re a Flowroute customer, you’ll also need to update your credentials.

  1. Login to your Flowroute account and reset your SIP credentials password on the Interconnection tab of your Flowroute Manager.
  2. Re-implement your updated SIP credentials in FreePBX.

Added measure of security:
To further reduce your exposure, you should disable your SIP credentials for outbound calling and use Outbound IP authentication exclusively (if you’re connecting through a static IP).