CVE-2025-40647 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Issabel PBX system, specifically within the issabel-pbx module version 5.0.0. The vulnerability arises due to improper neutralization of user input during web page generation, classified under CWE-79. The flaw exists in the handling of the 'email' parameter on the '/index.php?menu=address_book' endpoint, where user-supplied input is not properly validated or sanitized before being stored and subsequently rendered in the web interface. This allows an attacker to inject malicious scripts that are persistently stored and executed in the context of other users accessing the address book page. The CVSS v4.0 base score is 5.1 (medium severity), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but some user interaction (UI:P) is needed. The vulnerability does not impact confidentiality, integrity, or availability directly but can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in October 2025 by INCIBE, a recognized cybersecurity entity. Issabel is an open-source IP PBX platform widely used for telephony management, particularly in small to medium enterprises, integrating VoIP, fax, and other communication services.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Issabel PBX systems for internal and external communications. Exploitation could allow attackers to execute arbitrary JavaScript in the context of the PBX web interface, potentially leading to session hijacking of administrative users, theft of sensitive contact information, or manipulation of telephony configurations. This could disrupt business communications, lead to unauthorized call routing or interception, and expose confidential customer or employee data. Given the role of PBX systems in critical communication infrastructure, such exploitation could degrade operational efficiency and trust. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if personal data is exposed or manipulated through this vulnerability. Although the vulnerability requires some user interaction, phishing or social engineering could facilitate exploitation. The lack of known exploits in the wild suggests limited current risk but also highlights the importance of proactive mitigation before attackers develop weaponized payloads.

To mitigate this vulnerability, European organizations using Issabel PBX should: 1) Immediately audit and restrict access to the address book module to trusted users only, minimizing exposure. 2) Implement strict input validation and output encoding on the 'email' parameter and other user inputs in the PBX web interface, ensuring all inputs are sanitized to neutralize scripts. 3) Monitor web application logs for suspicious input patterns or anomalous user behavior indicative of attempted XSS exploitation. 4) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the PBX web interface. 5) Regularly update Issabel PBX to the latest versions once patches addressing this vulnerability are released. 6) Educate users and administrators about the risks of phishing and social engineering that could facilitate exploitation. 7) Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the PBX system. 8) Conduct penetration testing focused on web interface vulnerabilities to proactively identify and remediate similar issues.