Post-Authentication Command Injection Vulnerability in FreePBX Endpoint Manager
CVE-2025-64328

8.6HIGH

Key Information:

Vendor

Freepbx

Status
Security-reporting
Vendor
CVE Published:
7 November 2025

What is CVE-2025-64328?

The FreePBX Endpoint Manager, specifically in versions 17.0.2.36 and later up to 17.0.2.39, contains a command injection vulnerability in its filestore module. This occurs after authentication and can be exploited by an authenticated user through the testconnection -> check_ssh_connect() function. By executing this attack, an unauthorized user may gain remote access to the system as an 'asterisk' user, potentially leading to further unauthorized actions within the FreePBX environment. This vulnerability has been addressed in version 17.0.3.

Affected Version(s)

security-reporting >= 17.0.2.36, < 17.0.3

References

https://github.com/FreePBX/security-reporting/security/ad...
x_refsource_CONFIRM
https://github.com/FreePBX/filestore/blob/f0e3983059271ef...
x_refsource_MISC
https://www.freepbx.org/watch-what-we-do-with-security-fi...
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64328 : Post-Authentication Command Injection Vulnerability in FreePBX Endpoint Manager