CVE-2025-55209 is a stored cross-site scripting (XSS) vulnerability identified in the contactmanager module of FreePBX, an open-source GUI managing Asterisk PBX systems. The vulnerability exists in versions prior to 15.0.14, from 16.0.0 up to 16.0.26.4, and from 17.0.0 up to 17.0.5. It allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript code into the system. This injected script executes when an administrator interacts with the affected component, running in the administrator's browser context. This can lead to session hijacking, enabling attackers to impersonate administrators, and potentially escalate privileges within the FreePBX system. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), meaning user-supplied input is not correctly sanitized before being rendered. Exploitation requires no authentication beyond low-level UCP access, but does require the administrator to view or interact with the malicious content, implying user interaction is necessary. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond low-level user, and user interaction needed. The impact on confidentiality, integrity, and availability is limited but significant due to potential administrative takeover. No known exploits have been reported in the wild as of the publication date. The vulnerability is addressed in FreePBX versions 15.0.14, 16.0.27, and 17.0.6.

For European organizations, this vulnerability poses a risk to the security of their telephony infrastructure managed via FreePBX. Successful exploitation can lead to administrative session hijacking and privilege escalation, allowing attackers to manipulate call routing, intercept calls, or disrupt telephony services. This could result in unauthorized access to sensitive communications, potential fraud, and operational downtime. Given that FreePBX is widely used in small to medium enterprises and some larger organizations across Europe for VoIP management, the impact could affect confidentiality and integrity of communications. The requirement for administrator interaction limits the ease of exploitation but does not eliminate risk, especially in environments with multiple administrators or less security-aware staff. The vulnerability could also be leveraged as a foothold for further network compromise. The medium CVSS score reflects moderate severity but the criticality depends on the organization's reliance on FreePBX for business communications.

European organizations should immediately verify their FreePBX contactmanager module version and upgrade to the fixed releases: 15.0.14, 16.0.27, or 17.0.6 as appropriate. Until patching is completed, restrict UCP user permissions to the minimum necessary and monitor for suspicious activity. Implement strict input validation and output encoding on any custom modules or integrations interacting with FreePBX to reduce XSS risks. Educate administrators to be cautious when interacting with user-generated content within the system. Employ web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Regularly audit FreePBX logs for unusual access patterns or administrative actions. Consider network segmentation to limit access to the FreePBX management interface to trusted hosts. Finally, maintain up-to-date backups of configuration and call data to enable recovery in case of compromise.