CVE-2025-55209 is a stored cross-site scripting (XSS) vulnerability affecting the contactmanager module within FreePBX, an open-source GUI used to control and manage Asterisk PBX systems. The vulnerability exists in versions prior to 15.0.14, versions 16.0.0 through 16.0.26.4, and versions 17.0.0 through 17.0.5. It allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript code into the system. This malicious script executes in the context of an administrator when they interact with the affected component, potentially leading to session hijacking and privilege escalation. The root cause is improper neutralization of input during web page generation (CWE-79), meaning that user-supplied input is not properly sanitized or encoded before being rendered in the administrator's browser. This flaw enables attackers to bypass access controls by leveraging the trust relationship between the administrator's browser and the FreePBX web interface. The vulnerability requires no prior authentication beyond low-privileged UCP user access, and user interaction is needed only from the administrator who views the injected content. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond low-level user, and partial impact on confidentiality, integrity, and availability. The issue is fixed in FreePBX versions 15.0.14, 16.0.27, and 17.0.6 and later.

For European organizations using FreePBX systems, particularly those deploying the contactmanager module, this vulnerability poses a significant risk. Successful exploitation could allow an attacker with low-level user access to execute arbitrary JavaScript in the administrator's browser, leading to session hijacking and potential privilege escalation. This could result in unauthorized access to sensitive telephony configurations, call logs, and potentially the ability to manipulate PBX operations, disrupting business communications. Confidentiality of internal communications and integrity of telephony configurations could be compromised. Given that PBX systems are critical infrastructure for many enterprises, including call centers, government agencies, and financial institutions, exploitation could lead to operational disruption and data breaches. The medium severity score indicates moderate risk, but the potential for privilege escalation and session hijacking elevates the threat in environments where FreePBX is widely used. The lack of known exploits in the wild currently reduces immediate risk, but the vulnerability should be addressed promptly to prevent future attacks.

European organizations should immediately verify their FreePBX versions and upgrade to 15.0.14, 16.0.27, or 17.0.6 and above to remediate the vulnerability. Until patching is complete, restrict low-privileged UCP user access to trusted personnel only and monitor for unusual user activity. Implement strict input validation and output encoding on any custom modules or extensions interacting with the contactmanager module to reduce injection risks. Employ web application firewalls (WAFs) with rules targeting XSS payloads specific to FreePBX interfaces. Educate administrators to avoid interacting with untrusted user-generated content within the PBX GUI. Regularly audit user permissions to minimize unnecessary UCP user accounts. Additionally, enable multi-factor authentication (MFA) for administrative access to reduce the impact of session hijacking. Maintain comprehensive logging and alerting on PBX web interface access to detect suspicious behavior early.