A critical alert highlights two severe remote code execution (RCE) vulnerabilities in FreePBX, affecting the Superfecta module and User Control Panel (UCP). Both vulnerabilities, rated with a CVSS score of 8.6, allow authenticated attackers to gain control over systems. The Superfecta module's flaw arises from unsafe inclusion of PHP files, enabling arbitrary code execution, while the UCP interface is susceptible to command injection due to insufficient input sanitization.
To mitigate these risks, immediate software updates to specific module versions are advised, alongside restricting access to the Admin panels using security measures like firewalls and VPNs.