FreePBX contains a command injection flaw in the ElevenLabs Text-to-Speech (TTS) integration within the recordings module, enabling attackers to run arbitrary system commands on the server. The vulnerability would allow full compromise of the affected FreePBX instance, giving attackers complete read, modify and execute capabilities. The weakness is consistent with CWE‑78, highlighting improper handling of system commands without proper sanitization. The impact is therefore Local Integrity and Confidentiality loss, with possible Remote Code Execution when an attacker succeeds.

The issue affects the FreePBX platform under the FreePBX:security‑reporting vendor. All releases between 16.0.17.2 and the year‑end of 16.0.19, and between 17.0.2.4 and 17.0.4 are vulnerable. Versions 16.0.20 and later, and 17.0.5 and later include the patch that eliminates the injection point.

The CVSS score of 7.5 conveys a high severity, while the EPSS assessment of less than 1% suggests that active exploitation is currently unlikely at scale, and the vulnerability is not listed in the CISA KEV catalog. However, the flaw can be leveraged once an attacker gains authenticated access to the recordings configuration or can interact with the TTS interface, which is often exposed over the web to privileged users. The likely attack path is remote control via the web interface that passes unsanitized arguments to the elevenlabs integration. Given the high severity and the potential for full system takeover, any user who can run the TTS function must consider this a critical risk.