← back
CVE-2025-64328

FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

CVSS 8.6 HIGHEPSS 84.4%● KEVCWE-78
In short

FreePBX Endpoint Manager allows authenticated users to inject commands through the SSH connection test feature, potentially giving them control of the system. This is dangerous because an insider or compromised account could take over the entire phone system.

Technical detail

The testconnection function in the filestore module fails to properly sanitize user input before passing it to shell commands (CWE-78). An authenticated attacker with access to the Administrative GUI can inject arbitrary OS commands via the check_ssh_connect() function, executing them as the asterisk user. This requires valid credentials but allows unauthenticated remote code execution on the underlying system.

Summary generated and translated by AI from the official description.
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
FreePBX · filestore
public PoCs found1
githubgithub.com/mcorybillington/CVE-2025-64328_FreePBX-framework-Command-Injection1
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/FreePBX/filestore/blob/f0e3983059271efd80b483ec823310ef19a59013/drivers/SSH/testconnection.php#L2https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvwhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphphttps://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80