CVE-2026-46512

mwtcmi · Frogman

An input validation flaw in the Frogman PBX control software allows authenticated users with writing privileges to inject arbitrary Asterisk directives.

Executive summary

A critical code injection vulnerability in Frogman allows authenticated attackers to execute arbitrary Asterisk commands, potentially leading to full control over PBX operations.

Vulnerability

The application fails to properly sanitize template parameters used in dialplan configuration. An authenticated user possessing PERM_WRITE capabilities can exploit this to inject malicious directives such as System or SHELL into the Asterisk configuration files.

Business impact

Exploitation allows an attacker to manipulate PBX functionality, potentially intercepting communications, rerouting calls, or executing OS-level commands through Asterisk. With a CVSS score of 9.9, this vulnerability poses a severe threat to the integrity and confidentiality of voice infrastructure.

Remediation

Immediate Action: Upgrade to Frogman version 1.6.2 to resolve the sanitization failures in the dialplan application logic.

Proactive Monitoring: Monitor Asterisk configuration files for unexpected changes or the inclusion of unauthorized directives. Audit user permissions to ensure only authorized personnel have write access to dialplan templates.

Compensating Controls: Implement strict role-based access controls to limit the number of users with PERM_WRITE privileges until the patch is applied.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this issue necessitates an immediate update to the latest version of Frogman. Security teams should verify that all write-capable user accounts are strictly managed to minimize the risk of internal or credential-based abuse.