CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

FreePBX security advisory (AV26-680)

unknown
Serial number: AV26-680 Date: July 9, 2026 On July 9, 2026, FreePBX published security advisories to address vulnerabilities in the following products: FreePBX API (FreePBX 17) – versions prior to 17.0.9 FreePBX Backup (FreePBX 17) – versions prior to 17.0.11 The Cyber Centre encourages users and administrators to review the web links provided, apply the necessary updates and perform the suggested mitigations. Authenticated API generatedocs Host Command Injection Authenticated Arbitrary SSH Key Injection via Backup Module FreePBX Security Advisories

CSIRTS triage

vendor: FreePBXproduct: FreePBXOtheraffected: 17 prior to 17.0.9 for API, 17 prior to 17.0.11 for Backup
What
Multiple vulnerabilities have been identified in FreePBX that could allow command injection and SSH key injection.
Who is affected
Users of FreePBX 17 versions prior to 17.0.9 and 17.0.11 are affected.
Urgency
Remediation is necessary to prevent potential exploitation of these vulnerabilities.
Action
Users should update to the latest versions of FreePBX.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch FreePBX

Get an email when a new FreePBX advisory drops — max one per day, one-click unsubscribe.

Details

Source
Canadian Centre for Cyber Security (CA · national-cert · site)
Severity
unknown
Published
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://cyber.gc.ca/en/alerts-advisories/freepbx-security-advisory-av26-680

More from Canadian Centre for Cyber Security