An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the “asterisk” user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through Versions 1.0 and 1.1 are unaffected. **Recent assessments:** **gwillcox-r7** at November 25, 2020 6:12pm UTC reported: A command injection vulnerability in the `network` POST parameter of the `/maint/modules/endpointcfg/endpoint_devicemap.php` page on Fonality Trixbox Community Edition versions 1.2.0 through allowed remote authenticated attackers to take complete control over the affected devices as the `asterisk` user, and then elevate to `root` by running `sudo nmap --interactive` followed by `!sh` from within `nmap`. My personal opinion on this is that it is a very wide ranging vulnerability in terms of the number of versions affected. We are talking over 60% of the released versions of Fonality Trixbox Community Edition were affected by this vulnerability, although the main downside is that Fonality TrixBox Community Edition is no longer supported by its developers. This creates an interesting question cause whilst telephony systems are known to run out of date and depreciated software (as is the case with many public service departments), I don’t know if this particular software would still be used in most departments or if they would have just moved on by this point. Particularly given that this software is the community edition I imagine most users would have moved on to other software by now, but we all know that, like Windows XP, some people will still cling to what they know is tried and true. That being said I would have to imagine that the numbers have diminished significantly in the time between the last release of Fonality TrixBox Community Edition and now. Additionally the requirement for a user to be authenticated to exploit this vulnerability means that simply setting a strong password on affected devices will likely prevent them from being compromised by this vulnerability. TLDR: An interesting vulnerability but seeing as the software is no longer supported and it does require authenticated access, its probably not something that should be at the top of your priority list unless you know you are running TrixBox Community Edition, in which case if you can’t upgrade it is recommended you ensure all devices have a strong password, as this will prevent users from easily being able to exploit this vulnerability. Assessed Attacker Value: 3 Assessed Attacker Value: 3Assessed Attacker Value: 5