Recently posted on the forum: FreePBX hacked via dialplan - #3 by esarant
Related ticket: Log in - Sangoma Issue Tracker
There are not enough details to say for sure that this was an inband transfer exploit, but it’s plausible. Anyway, it’s what the user claims, and should be tested thoroughly.
I would hope that “Disallow transfer features for inbound callers” is water-tight, but I can be absolutely certain of it if inband transfer features are disabled globally.