External risk intelligence

FreePBX Endpoint Manager Command Injection Vulnerability

CVE advisoryKnown Exploit

CVE-2025-64328

A vulnerability in FreePBX Endpoint Manager allows authenticated users to inject commands, potentially granting attackers remote system access. This impacts system integrity and confidentiality. The realistic business risk involves unauthorized data access and system control.

2Halo Surface Signal

OS Command Injection

Sangoma Firestore

17.0.2.36 to before 17.0.3

External exposure likelihood

Halo Surface Signal score for CVE-2025-64328

The vulnerability exists within the administrative interface of FreePBX and requires a known, authenticated user account to perform the injection. While the administrative interface can be network-reachable, typical deployments place it behind internal network controls or VPNs, making direct public internet exposure uncommon for this specific administrative functionality.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The FreePBX Endpoint Manager, specifically its filestore module, contains a vulnerability that can be exploited by authenticated users. This flaw allows an attacker to inject commands, potentially leading to unauthorized remote access to the system. The impact could include the compromise of the system's integrity and confidentiality.

  • Vulnerable administrative interface module
  • Command injection weakness
  • Remote system access and compromise

Attack Path

How an attacker could exploit the issue

This vulnerability allows an authenticated user to execute commands on the FreePBX system. An attacker with existing access can exploit a flaw in the administrative interface's test connection function. This leads to the attacker gaining control of the system with the privileges of the asterisk user.

  • Requires authenticated user access.
  • Attacker triggers command injection.
  • Attacker gains system control.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in the FreePBX Endpoint Manager module allows an authenticated user to inject commands, potentially leading to remote access as the asterisk user. This could expose sensitive system information or allow unauthorized actions. Organizations should treat this as a high-risk issue given the potential for significant damage.

  • Attackers require authenticated access.
  • Exploitation is not difficult.
  • Business risk is high.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The FreePBX Endpoint Manager module has a vulnerability that allows an authenticated user to inject commands. This could lead to remote access as an asterisk user, posing a significant risk to affected systems. Organizations should prioritize addressing this vulnerability to maintain system security and prevent unauthorized access.

  • Find affected FreePBX systems.
  • Isolate exposed administrative interfaces.
  • Update to version 17.0.3 or later.

Frequently asked questions

What is FreePBX Endpoint Manager and its role in telephony systems?

FreePBX Endpoint Manager is a module within FreePBX systems designed to manage and configure telephony devices. It allows administrators to control phones and other communication endpoints connected to the FreePBX server, streamlining device management and ensuring proper integration.

What type of security weakness does CVE-2025-64328 represent?

CVE-2025-64328 describes a command injection vulnerability, identified by CWE-78. This weakness enables an attacker to execute arbitrary operating system commands on the targeted system, potentially leading to unauthorized control.

How can an attacker exploit the command injection vulnerability in FreePBX Endpoint Manager?

Exploitation requires an attacker to possess valid credentials for the FreePBX administrative interface. By leveraging the 'testconnection -> check_ssh_connect()' function within the filestore module, an authenticated user can inject commands, leading to remote system access as the 'asterisk' user.

What is the significance of CVE-2025-64328 and its potential impact?

The command injection vulnerability in FreePBX Endpoint Manager poses a high risk due to the potential for an authenticated attacker to gain remote access as the 'asterisk' user. This could lead to significant damage, including the compromise of system integrity and confidentiality. The Halo Surface Signal score of 2 ('Unlikely') is based on the requirement for administrative access, which is typically not exposed to the public internet.

What are the recommended steps to address the FreePBX Endpoint Manager vulnerability?

To mitigate the risks associated with CVE-2025-64328, administrators should identify all affected FreePBX systems. It is crucial to update the FreePBX Endpoint Manager module to version 17.0.3 or later. Additionally, consider isolating any exposed administrative interfaces and applying vendor-provided security guidance.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified