CVE-2025-64328
📋 TL;DR
FreePBX Endpoint Manager's filestore module contains a post-authentication command injection vulnerability in the SSH test connection function. Authenticated users can execute arbitrary commands on the system, potentially gaining remote access as the asterisk user. This affects FreePBX systems running Endpoint Manager version 17.0.2.36 through 17.0.2.x.
💻 Affected Systems
- FreePBX Endpoint Manager
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining persistent access, installing backdoors, exfiltrating sensitive data, and pivoting to other systems.
Likely Case
Attacker gains remote shell access as asterisk user, can modify telephony configurations, intercept calls, and potentially escalate privileges.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to contain the asterisk user's capabilities.
🎯 Exploit Status
Exploit requires authenticated access. The Fortinet blog confirms weaponized exploitation with encyst.php web shell deployment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.3
Vendor Advisory: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw
Restart Required: No
Instructions:
1. Log into FreePBX Admin interface. 2. Navigate to Module Admin. 3. Check for updates. 4. Update Endpoint Manager to version 17.0.3 or later. 5. Apply configuration changes if prompted.
🔧 Temporary Workarounds
Disable filestore SSH test functionality
linuxTemporarily disable the vulnerable testconnection functionality in the filestore module
# Backup the vulnerable file first
cp /var/www/html/admin/modules/filestore/drivers/SSH/testconnection.php /var/www/html/admin/modules/filestore/drivers/SSH/testconnection.php.backup
# Remove execute permissions
chmod 644 /var/www/html/admin/modules/filestore/drivers/SSH/testconnection.php
Restrict administrative access
allLimit access to the FreePBX administrative interface to trusted IP addresses only
# Add to Apache configuration or .htaccess
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FreePBX systems from critical infrastructure
- Enforce multi-factor authentication for all administrative accounts and review user access privileges
🔍 How to Verify
Check if Vulnerable:
Check Endpoint Manager version in FreePBX Admin interface under Module Admin > Manage Modules, or run: grep -r '17\.0\.2\.' /var/www/html/admin/modules/endpoint/Check Version:
grep 'version' /var/www/html/admin/modules/endpoint/module.xml | head -1Verify Fix Applied:
Verify Endpoint Manager version shows 17.0.3 or higher in Module Admin, or check: grep '17\.0\.3' /var/www/html/admin/modules/endpoint/module.xml📡 Detection & Monitoring
Log Indicators:
- Unusual SSH connections from FreePBX server
- Suspicious commands executed by asterisk user
- Multiple failed authentication attempts followed by successful login
- Web server logs showing access to testconnection.php with unusual parameters
Network Indicators:
- Outbound connections from FreePBX server to unexpected destinations
- SSH traffic from FreePBX server to internal systems
- Unusual port scanning activity originating from FreePBX server
SIEM Query:
source="freepbx.log" AND ("testconnection" OR "check_ssh_connect") AND (cmd=* OR exec=* OR system=*)🔗 References
- https://github.com/FreePBX/filestore/blob/f0e3983059271efd80b483ec823310ef19a59013/drivers/SSH/testconnection.php#L2
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw
- https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328
- https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
