The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-45461

CVE-2021-45461: Sangoma Restapps RCE Vulnerability

CVE-2021-45461 is a remote code execution vulnerability in Sangoma Restapps for FreePBX that enables attackers to execute arbitrary code. This article covers technical details, affected versions, real-world impact, and mitigation.

Published: February 25, 2026

CVE-2021-45461 Overview

CVE-2021-45461 is a critical remote code execution (RCE) vulnerability affecting FreePBX systems with specific versions of the Rest Phone Apps (restapps) module installed. This vulnerability allows remote attackers to execute arbitrary code on affected systems without authentication, potentially leading to complete system compromise. The vulnerability was actively exploited in the wild in December 2021, making it a significant threat to organizations using vulnerable FreePBX installations.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on affected FreePBX systems, potentially gaining full control of the VoIP infrastructure and enabling lateral movement within enterprise networks.

Affected Products

  • Sangoma Restapps versions 15.0.19.87 and 15.0.19.88
  • Sangoma Restapps versions 16.0.18.40 and 16.0.18.41
  • Sangoma FreePBX with vulnerable restapps module installed
  • Sangoma PBXact with vulnerable restapps module installed

Discovery Timeline

  • December 2021 - Vulnerability exploited in the wild
  • 2021-12-22 - CVE-2021-45461 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-45461

Vulnerability Analysis

This remote code execution vulnerability exists within the Rest Phone Apps (restapps) module of FreePBX. The restapps module provides REST API functionality for phone applications, and specific vulnerable versions contain a flaw that allows unauthenticated attackers to inject and execute arbitrary code on the underlying server.

The vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely over the network. FreePBX systems are commonly deployed as critical VoIP infrastructure, often exposed to the internet or accessible from untrusted network segments. Successful exploitation grants attackers the ability to execute commands with the privileges of the web server process, which typically has significant access to system resources and sensitive configuration data including SIP credentials and call records.

The fact that this vulnerability was exploited in the wild before public disclosure indicates it was likely used as a zero-day attack vector by threat actors targeting VoIP infrastructure.

Root Cause

The root cause of this vulnerability lies in improper input validation within the Rest Phone Apps module. The affected versions (15.0.19.87, 15.0.19.88, 16.0.18.40, and 16.0.18.41) fail to properly sanitize user-supplied input before processing it in a security-sensitive context. This allows attackers to craft malicious requests that bypass security controls and achieve code execution on the target system.

Attack Vector

The attack vector for CVE-2021-45461 is network-based, requiring no user interaction or prior authentication. Attackers can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable REST API endpoints exposed by the restapps module.

The exploitation flow typically involves:

  1. Identifying a FreePBX system with the vulnerable restapps module installed
  2. Crafting malicious HTTP requests targeting the vulnerable API endpoints
  3. Injecting arbitrary code through the unsanitized input parameters
  4. Achieving remote code execution with web server privileges

Detailed technical exploitation information can be found in the FreePBX Security Advisory and related community discussions.

Detection Methods for CVE-2021-45461

Indicators of Compromise

  • Unexpected HTTP requests to REST API endpoints with malicious payloads
  • Unusual process spawning from the FreePBX web server process (typically Apache or Nginx)
  • Unauthorized modifications to FreePBX configuration files or system binaries
  • Suspicious outbound network connections from the FreePBX server
  • New or modified cron jobs, SSH keys, or user accounts created without authorization

Detection Strategies

  • Monitor web server access logs for anomalous requests to /restapps/ or related API endpoints with unusual parameters
  • Implement file integrity monitoring on critical FreePBX directories including /var/www/html/admin/modules/restapps/
  • Deploy network intrusion detection rules to identify exploitation attempts targeting known vulnerable endpoints
  • Review system logs for unexpected command execution or privilege escalation activities

Monitoring Recommendations

  • Enable comprehensive logging for Apache/Nginx web servers hosting FreePBX
  • Configure alerts for new process creation originating from web server parent processes
  • Implement network segmentation monitoring to detect lateral movement from compromised VoIP systems
  • Regularly audit installed FreePBX modules and their versions using module administration tools

How to Mitigate CVE-2021-45461

Immediate Actions Required

  • Immediately update the Rest Phone Apps module to version 15.0.20 or 16.0.19 or later
  • Audit FreePBX systems for signs of prior compromise if vulnerable versions were deployed
  • Implement network access controls to restrict access to FreePBX administrative interfaces
  • Review and revoke any suspicious credentials or SSH keys that may have been added during a compromise

Patch Information

Sangoma has released fixed versions of the Rest Phone Apps module that address this vulnerability. The patched versions are:

  • Version 15.0.20 - Fixed version for the 15.x branch
  • Version 16.0.19 - Fixed version for the 16.x branch

Administrators should update the restapps module through the FreePBX Module Administration interface or by manually downloading and installing the updated module from the official FreePBX repository. For detailed patch instructions, refer to the FreePBX Security Advisory.

Workarounds

  • If immediate patching is not possible, consider temporarily disabling the Rest Phone Apps module until updates can be applied
  • Implement web application firewall (WAF) rules to filter potentially malicious requests to restapps endpoints
  • Restrict network access to FreePBX administrative interfaces using firewall rules, allowing access only from trusted management networks
  • Place FreePBX systems behind a VPN to prevent direct internet exposure
bash
# Example: Restrict access to FreePBX admin interface via iptables
# Replace 10.0.0.0/24 with your trusted management network
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechSangoma Restapps
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability2.99%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • NVD-CWE-noinfo
  • Vendor Resources
  • FreePBX 0-Day Exploit Discussion
  • FreePBX RCE Security Issue
  • FreePBX Security Advisory: RCE
  • Latest CVEs
  • CVE-2026-40322: SiYuan Knowledge Management RCE Vulnerability
  • CVE-2026-40318: SiYuan Path Traversal Vulnerability
  • CVE-2026-40259: SiYuan Auth Bypass Vulnerability
  • CVE-2026-40255: AdonisJS HTTP Server CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English