This vulnerability exists in the FreePBX Call Data Record (CDR) reporting module and allows an attacker with authenticated access to inject arbitrary SQL into queries that retrieve CDR data. The injection can lead to unauthorized reading of sensitive call records, modification or deletion of database entries, or other destructive actions. The weakness is a classic SQL Injection identified as CWE-89, which signals unsafe handling of untrusted input. Based on the description, it is inferred that the attacker must possess valid user credentials to exploit this flaw.

Any installation of FreePBX running a version prior to 16.0.49 or 17.0.7 is affected. The vulnerability resides in the FreePBX CDR module and is exposed through the CDR reporting interface. Systems using older FreePBX releases—particularly those including the security-reporting component—must verify their version and apply fixes if necessary.

The CVSS score of 8.6 indicates a high severity overall. With an EPSS below 1% and no current listing in the CISA KEV catalog, the likelihood of widespread exploitation is low, but the remaining factors—namely the requirement for authenticated access and the vulnerable database interface—mean that a knowledgeable attacker could discover and exploit the flaw. The likely attack vector is through the CDR reporting feature, and it is inferred that the attacker must have valid user credentials with access to this feature. Once authenticated, the attacker could manipulate the SQL query parameter to extract or alter data.