External risk intelligence

Frogman PBX Dialplan Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-46512

Frogman is a headless PBX control system that provides an HTTP API for dialplan management. Systems providing PBX control, telephony management, and API-based configuration are commonly deployed as network-accessible services to facilitate remote communication, integration, and administrative tasks.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Frogman, a system used for managing PBX (Private Branch Exchange) telephony controls via an API. The flaw could allow an authenticated attacker to execute arbitrary commands on the underlying system, posing a significant security risk. The main concern is confirming relevance and exposure, as the impact depends on how Frogman is integrated into your communication infrastructure.

  • Unauthenticated attackers could control phone systems.
  • Affects systems managing phone call routing.
  • Confirm if this phone system management tool is used.

Attack Path

How an attacker could exploit the issue

An attacker with write permissions could exploit this vulnerability by sending specially crafted template parameters to the `fm_dialplan_apply` function. This could allow them to inject arbitrary commands into the system's dialplan configuration, leading to the execution of malicious code.

  • Requires authenticated write access.
  • Triggers via crafted template parameters.
  • Allows arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with write permissions to inject arbitrary Asterisk commands. This could affect the integrity and availability of the PBX system by allowing unauthorized execution of commands, potentially leading to system compromise.

  • PBX system configuration and execution.
  • Unsanitized template parameters allow command injection.
  • Arbitrary command execution and system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this critical vulnerability, application owners responsible for the Frogman PBX control system must first identify all instances of the affected technology. Confirming its network reachability and business criticality will guide prioritization. Subsequently, locate the accountable system owner to plan a risk-based remediation, which may involve coordinating with vendors for updates or implementing temporary risk reduction measures.

  • Application owners must own the issue.
  • Verify Frogman's network reachability and criticality.
  • Plan remediation based on exposure and business impact.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Frogman?

Frogman is a headless system designed to manage Private Branch Exchange (PBX) telephony infrastructure. It provides an HTTP API and Message Control Protocol (MCP) that allow administrators to programmatically configure call routing, dialplans, and extensions, effectively serving as an automation layer for business communication systems.

What does CVE-2026-46512 mean?

This CVE identifies a code injection vulnerability, specifically categorized as CWE-94: Improper Control of Generation of Code. Because the application fails to properly sanitize input when updating dialplan templates, an attacker can insert unauthorized instructions directly into the system's configuration files, leading to arbitrary code execution.

How is this vulnerability triggered?

An attacker must have permissions to modify dialplan configurations and send a request to the fm_dialplan_apply function with a confirm:true parameter. The flaw is not triggered by simple read-only actions; it specifically requires a caller with write access to submit specially crafted parameters—such as greeting or file names—that circumvent existing sanitization logic.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal identifies Frogman as a service often deployed with network accessibility to support remote telephony management and API integrations. If your instance is exposed to the network to facilitate these integrations, it falls under an external classification, increasing the likelihood that it could be targeted by an attacker with the required access.

Do I need to update my Frogman software?

Yes. To resolve the security flaw, you must upgrade your installation to version 1.6.2 or later. Your first step should be to identify all instances of Frogman within your environment, confirm their network reachability, and then work with your system administrators to apply the update and verify that the fix is properly in place.

References