CVE-2025-64328
Published: 07 November 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-64328 is a post-authentication command injection vulnerability (CWE-78) affecting the filestore module within the Administrative interface of FreePBX Endpoint Manager, a module for managing telephony endpoints in FreePBX systems. The flaw exists in versions 17.0.2.36 and above prior to 17.0.3, specifically in the testconnection -> check_ssh_connect() function.
An authenticated user with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to execute arbitrary commands, obtaining remote access to the system as the asterisk user and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.2.
The vulnerability is addressed in FreePBX Endpoint Manager version 17.0.3. Security advisories from FreePBX and GitHub's security-reporting repository provide details on the issue, including code references, and recommend upgrading to the fixed version for mitigation.
This CVE appears in the CISA Known Exploited Vulnerabilities Catalog, suggesting active real-world exploitation. Additional references include FreePBX documentation on security fixes and Fortinet threat research on a weaponized web shell.
Details
- CWE(s)
- KEV Date Added
- 03 February 2026
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Post-authentication command injection enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004) as the asterisk user.