What if your office phone system — you know, that FreePBX box humming away — is begging to execute arbitrary commands right now?
Metasploit Wrap-Up for 03/20/2026 hits like a caffeine crash. Two new exploit modules. Both from community whiz Chocapikk. Targeting AVideo Encoder’s getImage.php — unauthenticated command injection, CVE-2026-29058. And FreePBX filestore, authenticated but still nasty, CVE-2025-64328. Plus enhancements, seven bug fixes. It’s the usual drill, but sharper this time.
Chocapikk deserves a nod — or a beer. Dropped pull requests #21076 and #20719. The AVideo one? Fires off OS commands without even logging in. Picture this: attacker crafts a malicious image URL, boom, shell access. FreePBX? Needs creds, but auto-detects vulnerable versions. Renames some mixin too, because why not tidy up while pwning.
Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation.
That’s straight from the release notes. Succinct. Deadly accurate.
Why Is FreePBX Still a Sitting Duck in 2026?
FreePBX. Beloved open-source PBX. But command injection in filestore? Come on. It’s 2026, folks. We’ve seen this movie — remember the Asterisk exploits back in the 2010s? Same vibe. Vendors patch slow, users drag feet. Metasploit just hands the popcorn to red teamers. Bold prediction: expect ransomware crews to pile on within weeks. That filestore endpoint? Wide open for file uploads turning into code exec. Authenticated, sure — but weak creds are low-hanging fruit.
AVideo Encoder fares no better. getImage.php. Unauthenticated. Processes images, sure, but slips in system calls without a blink. CVE-2026-29058 screams neglect. Streaming platforms everywhere — churches, small broadcasters — running this? Yikes. Chocapikk and team nailed the module. Linux/http path. Ready to rock.
Enhancements? LDAP query tweak from zeroSteiner, #20730. Skips SACL data by default — crucial for non-priv users. No more failed queries because Windows gets picky. New option: LDAP::QuerySacl. Smart. Then Nayeraneru’s #20997: OptTimedelta. Human-friendly time inputs. Module authors, rejoice. No more epoch math headaches.
Bugs squashed: seven of ‘em. g0tmi1k on DHCP interface binding, #20960 — pick your iface, no drama. Docs cleanup, JSON-RPC SSL fix (#21024), cookie jar crash (#21025), reload_all when no modules (#21028), windows/exec non-ASCII (#21081), ldap_esc cert finder auth (#21139). Hemang360 crushes crashes. Solid grind.
Here’s my unique jab: this wrap-up exposes telephony’s eternal Achilles’ heel. FreePBX echoes 2008’s XanTel hacks — unpatched boxes fueling botnets. History rhymes. Companies spin ‘enterprise-ready,’ but Metasploit proves otherwise. PR flacks at Sangoma (FreePBX parent) will tweet patches soon. Too late for the unpatched.
Does Metasploit’s LDAP Fix Save Your Active Directory Queries?
Short answer: yeah, probably. Without it, SACL blocks everything. Non-admin LDAP pulls? Dead. zeroSteiner’s opt-in SACL query — elegant fix. But let’s be real: if you’re querying security descriptors sans privs, your opsec’s already iffy. Still, kudos. Makes pentests smoother.
OptTimedelta? Niche, but welcome. ‘5m30s’ instead of seconds? Users won’t fumble. Metasploit’s maturing — less CLI arcane, more pro.
Bug parade highlights Framework’s churn. Crashes on non-ASCII? Windows exec embarrassment fixed. reload_all sans modules? No splat. JSON-RPC without SSL? Works now. These aren’t sexy, but they keep msfconsole humming. Ignore at peril — unstable tools breed mistakes.
Community shines. Chocapikk, zeroSteiner, g0tmi1k, Hemang360, more. Rapid7 shepherds, but opensource heart pumps. GitHub PRs tell truth better than any keynote.
Dry humor time: that Stevie Wonder riff in the title? ‘I Just Called to Say… exploited.’ Cute. But beneath, serious tools for serious work.
Update via msfupdate. Or git clone master. Nightlies for pure OSS. Pro for polish.
Skeptic’s take: great release. But don’t sleep — these CVEs target real deployments. Patch FreePBX. Ditch AVideo if unpatched. Or enjoy the shell.
🧬 Related Insights
- Read more: Ransomware’s Vicious Evolution: From Locks to Blackmail and Beyond
- Read more: C-Suite Execs Spill: Cybersecurity Metrics Are Mostly Smoke
Frequently Asked Questions
What is CVE-2025-64328 in FreePBX? FreePBX filestore command injection. Authenticated upload leads to OS command exec. Metasploit module auto-detects vulnerable versions.
How bad is AVideo Encoder CVE-2026-29058? Unauthenticated command injection via getImage.php. No login needed. Remote code exec on Linux servers.
Should I update Metasploit now? Yes. Two exploits, LDAP enhancement, crash fixes. msfupdate and go.
