s1
--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

CVE-2025-64328

📛 CVE Title

FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

⬇ Download JSON ⚠ View as Threat

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

Overview

State
PUBLISHED
Assigner (CNA)
GitHub_M
CVSS severity
HIGH
CVSS score
CVSS 8.6 / 10 8.6 8.6 / 10
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Effective score
8.6 / 10 HIGH source: CNA overview
CWE(s)
CWE-78
Reserved
2025-10-30
Published
2025-11-07 03:32 UTC
Last updated
2026-02-13 22:08 UTC
Source
https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/64xxx/CVE-2025-64328.json
Linked Threat
CVE-2025-64328 — Sangoma FreePBX: Sangoma FreePBX OS Command Injection Vulnerability

CISA Known Exploited Vulnerabilities CISA KEV

CISA has confirmed in-the-wild exploitation of this CVE. Federal agencies must remediate by the due date below; private orgs should treat it as priority-1.

Vulnerability name
Sangoma FreePBX OS Command Injection Vulnerability
Vendor / project
Sangoma
Product
FreePBX
Date added to KEV
2026-02-03
Remediation due
2026-02-24
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ransomware campaign use
Unknown
CISA notes
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw ; https://nvd.nist.gov/vuln/detail/CVE-2025-64328
CISA listing
www.cisa.gov/known-exploited-vulnerabilities-catalog

NVD triage scoring NVD CVE 2.0

Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.

NVD published
2025-11-07 04:15:47 UTC
NVD last modified
2026-02-24 19:30:59 UTC
NVD CVSS v3.1
CVSS 7.2 / 10 7.2 7.2 / 10 HIGH source: nvd@nist.gov
NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability subscore
1.2 / 10
Impact subscore
5.9 / 10
EPSS score
0.7726 (probability of exploitation in next 30 days)
EPSS percentile
99.00% vs all CVEs — higher = more likely to be exploited, as of 2026-05-24

NVD / KEV / EPSS data refreshed 2026-05-25 05:00 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.

European Union Vulnerability Database ENISA EUVD

ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.

EUVD ID
EUVD-2025-38232
Assigner
GitHub_M
Published
Nov 7, 2025, 3:32:20 AM
Updated
Feb 13, 2026, 10:08:51 PM
EUVD base score (CVSS 4.0)
8.6 / 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EUVD-reported EPSS
75.4100
Vendors
FreePBX
Products
filestore (17.0.2.36, < 17.0.3)
security-reporting (17.0.2.36, < 17.0.3)

ENISA description: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

EUVD references (3)

Affected products (1)
VendorProductVersionsPlatforms
FreePBX filestore >= 17.0.2.36, < 17.0.3 (affected)

Affected products — CPE 2.3 (1) NVD

NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.

  • cpe:2.3:a:sangoma:firestore:*:*:*:*:*:freepbx:*:*

Remediations (9)

Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.

  • Patch Tuesday May 2026: Security Updates & CVE Analysis
    web:zecurit.com

    Get the complete breakdown of Microsoft's May 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .

    2026-05-14 17:20 UTC
  • Microsoft December 2025 Security Updates / FYI - Microsoft Q&A
    web:learn.microsoft.com

    Microsoft December 2025 Security Updates This release consists of the following 57 Microsoft CVEs : Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations ? Windows PowerShell CVE - 2025 -54100 Windows Projected File System…

    2026-05-14 17:20 UTC
  • Security Update Guide - Microsoft
    web:portal.msrc.microsoft.com

    The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.

    2026-05-14 17:20 UTC
  • Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed, Including ...
    web:cybersecuritynews.com

    Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.

    2026-05-14 17:20 UTC
  • August 2025 Patch Tuesday: Updates and Analysis | CrowdStrike
    web:www.crowdstrike.com

    Microsoft has released security updates for 107 vulnerabilities, including one publicly disclosed zero-day and 13 critical, in its August 2025 Patch Tuesday rollout.

    2026-05-14 17:20 UTC
  • Dangerous Fake Microsoft Windows Update Confirmed—Do Not Download
    web:www.forbes.com

    As security researchers warn about a dangerous Microsoft Windows update that isn't legitimate, users must pay close attention to what they are actually downloading.

    2026-05-14 17:20 UTC
  • May 2026 Patch Tuesday: no zero-days but plenty to fix
    web:www.malwarebytes.com

    May's Patch Tuesday may not be the giant release many expected, but there are still plenty of important fixes that shouldn't be ignored.

    2026-05-14 17:20 UTC
  • 120 Vulnerabilities Patched: Microsoft's May 2026 Patch Tuesday ...
    web:www.secpod.com

    The second Tuesday of May 2026 marked another major security update release from Microsoft, addressing a broad range of vulnerabilities across Windows, Microsoft Office, SharePoint, Dynamics 365, .NET, DNS Client, and other core enterprise components. While this month's Patch Tuesday did not include any actively exploited or publicly disclosed zero-day vulnerabilities, the release still ...

    2026-05-14 17:20 UTC
  • CISA Required Action
    CISA KEV

    Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-02-24 Known ransomware campaign use: Unknown

    2026-05-14 01:13 UTC

Vendor references (3)

References embedded in the original CVE record by the assigning CNA.

Web references (5)

DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.

NVD-tagged references (5)

Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.

Indicators (2)

IOCs linked to the auto-promoted Threat row.

TypeValueVirusTotalAttached
cwe CWE-78 no local data 2026-05-14 02:58 UTC
cve CVE-2025-64328 no local data 2026-05-14 02:58 UTC

Flagged vendors

    AI Forensic Analysis

    Only Available for Registered Users. Sign in to view.

    Raw JSON

    The full cvelistV5 record. Download as CVE-2025-64328.json.

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64328",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:25:17.324538Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-02-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T17:20:23.555Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-03T00:00:00.000Z",
            "value": "CVE-2025-64328 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filestore",
          "vendor": "FreePBX",
          "versions": [
            {
              "status": "affected",
              "version": ">= 17.0.2.36, < 17.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T22:08:51.717Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw"
        },
        {
          "name": "https://github.com/FreePBX/filestore/blob/f0e3983059271efd80b483ec823310ef19a59013/drivers/SSH/testconnection.php#L2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreePBX/filestore/blob/f0e3983059271efd80b483ec823310ef19a59013/drivers/SSH/testconnection.php#L2"
        },
        {
          "name": "https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80"
        }
      ],
      "source": {
        "advisory": "GHSA-vm9p-46mv-5xvw",
        "discovery": "UNKNOWN"
      },
      "title": "FreePBX Administration GUI is Vulnerable to Authenticated Command Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64328",
    "datePublished": "2025-11-07T03:32:20.670Z",
    "dateReserved": "2025-10-30T17:40:52.028Z",
    "dateUpdated": "2026-02-13T22:08:51.717Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}