Summary
The FreePBX Music on Hold (MoH) module contains a critical security flaw that allows authenticated attackers to execute arbitrary system commands with the privileges of the Asterisk service.
Authentication with an existing FreePBX administrator account is required.
Common Vulnerabilities and Exposures (CVE)
CVE-2026-45562
Provider Urgency (choice of: Not Defined, Clear, Green, Amber, or Red)
A - Amber
Link to Published GitHub Security Advisory (GHSA) with More Details
Highlights
Users that need specific executables not found in the new allowed list of applications may wish to fork and customize this module for their particular environment and/or modify the custom music on hold configuration files generated by the module.
Provider Urgency is set to Amber because this is a potentially breaking change for an extremely small subset of users with custom apps.
AGAIN, THIS IS A POTENTIAL BREAKING CHANGE FOR AN EXTREMELY SMALL SUBSET OF USERS.