CVE-2025-55210: CWE-270: Privilege Context Switching Error in FreePBX api
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they've already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.
AI Analysis
Technical Summary
CVE-2025-55210 is a privilege context switching error (CWE-270) affecting the FreePBX API module in versions prior to 17.0.5 and 16.0.17. FreePBX is an open-source GUI managing Asterisk PBX systems, widely used for telephony management. The vulnerability allows authenticated users with REST or GraphQL API access to forge JSON Web Tokens (JWTs) signed with the api-oauth.key private key, effectively granting them full access to the API regardless of their original privilege level. The JWT forgery bypasses traditional authorization by specifying arbitrary scopes such as 'rest' or 'gql'. However, the token must include a JWT ID (jti) claim that exists in the api_access_tokens table of the asterisk MySQL database, which restricts the attack to those who can guess or obtain a valid jti value. This means the attacker must already have some level of access to the system or database to exploit the vulnerability fully. The vulnerability arises from improper privilege context switching and insufficient validation of JWT tokens. It is fixed in FreePBX versions 17.0.5 and 16.0.17. The CVSS 4.0 vector indicates network attack vector, high attack complexity, partial authentication required, user interaction needed, and low impact on confidentiality, integrity, and availability. No public exploits have been reported to date.
Potential Impact
For European organizations, this vulnerability poses a risk of unauthorized privilege escalation within FreePBX telephony management systems. Attackers who gain low-level authenticated access could escalate to full API control, potentially allowing them to manipulate telephony configurations, intercept or redirect calls, disrupt communications, or access sensitive call data. This could impact business continuity, confidentiality of communications, and regulatory compliance, especially for sectors relying heavily on VoIP and telephony infrastructure such as finance, healthcare, and government. The requirement to know a valid jti reduces the likelihood of widespread exploitation but does not eliminate risk, particularly for insiders or attackers who have already compromised parts of the system. The low CVSS score reflects limited ease of exploitation and impact, but the critical nature of telephony systems means even low-severity vulnerabilities warrant prompt remediation.
Mitigation Recommendations
European organizations using FreePBX should immediately upgrade affected instances to versions 17.0.5 or 16.0.17 or later to remediate this vulnerability. Additionally, organizations should: 1) Restrict API access to trusted users and networks to minimize exposure. 2) Regularly audit and monitor api_access_tokens database entries for suspicious or unauthorized JWT IDs. 3) Rotate the api-oauth.key private key periodically and after any suspected compromise to invalidate forged tokens. 4) Implement network segmentation and strong authentication controls around FreePBX management interfaces. 5) Employ logging and alerting on anomalous API usage patterns that could indicate token forgery attempts. 6) Conduct internal security reviews to ensure no unauthorized access to the MySQL database storing JWT IDs. These steps reduce the attack surface and help detect or prevent exploitation attempts beyond patching.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland
CVE-2025-55210: CWE-270: Privilege Context Switching Error in FreePBX api
Description
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they've already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.
AI-Powered Analysis
Technical Analysis
CVE-2025-55210 is a privilege context switching error (CWE-270) affecting the FreePBX API module in versions prior to 17.0.5 and 16.0.17. FreePBX is an open-source GUI managing Asterisk PBX systems, widely used for telephony management. The vulnerability allows authenticated users with REST or GraphQL API access to forge JSON Web Tokens (JWTs) signed with the api-oauth.key private key, effectively granting them full access to the API regardless of their original privilege level. The JWT forgery bypasses traditional authorization by specifying arbitrary scopes such as 'rest' or 'gql'. However, the token must include a JWT ID (jti) claim that exists in the api_access_tokens table of the asterisk MySQL database, which restricts the attack to those who can guess or obtain a valid jti value. This means the attacker must already have some level of access to the system or database to exploit the vulnerability fully. The vulnerability arises from improper privilege context switching and insufficient validation of JWT tokens. It is fixed in FreePBX versions 17.0.5 and 16.0.17. The CVSS 4.0 vector indicates network attack vector, high attack complexity, partial authentication required, user interaction needed, and low impact on confidentiality, integrity, and availability. No public exploits have been reported to date.
Potential Impact
For European organizations, this vulnerability poses a risk of unauthorized privilege escalation within FreePBX telephony management systems. Attackers who gain low-level authenticated access could escalate to full API control, potentially allowing them to manipulate telephony configurations, intercept or redirect calls, disrupt communications, or access sensitive call data. This could impact business continuity, confidentiality of communications, and regulatory compliance, especially for sectors relying heavily on VoIP and telephony infrastructure such as finance, healthcare, and government. The requirement to know a valid jti reduces the likelihood of widespread exploitation but does not eliminate risk, particularly for insiders or attackers who have already compromised parts of the system. The low CVSS score reflects limited ease of exploitation and impact, but the critical nature of telephony systems means even low-severity vulnerabilities warrant prompt remediation.
Mitigation Recommendations
European organizations using FreePBX should immediately upgrade affected instances to versions 17.0.5 or 16.0.17 or later to remediate this vulnerability. Additionally, organizations should: 1) Restrict API access to trusted users and networks to minimize exposure. 2) Regularly audit and monitor api_access_tokens database entries for suspicious or unauthorized JWT IDs. 3) Rotate the api-oauth.key private key periodically and after any suspected compromise to invalidate forged tokens. 4) Implement network segmentation and strong authentication controls around FreePBX management interfaces. 5) Employ logging and alerting on anomalous API usage patterns that could indicate token forgery attempts. 6) Conduct internal security reviews to ensure no unauthorized access to the MySQL database storing JWT IDs. These steps reduce the attack surface and help detect or prevent exploitation attempts beyond patching.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-08-08T21:55:07.966Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 698e0109c9e1ff5ad8eda2a5
Added to database: 2/12/2026, 4:34:17 PM
Last enriched: 2/12/2026, 4:48:45 PM
Last updated: 2/12/2026, 6:24:24 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-54519: CWE-427 Uncontrolled Search Path Element in AMD Vivado™ Documentation Navigator Installation (Windows)
HighCVE-2024-36319: CWE-1191 On-Chip Debug and Test Interface With Improper Access Control in AMD AMD Ryzen™ 7040 Series Mobile Processors with Radeon™ Graphics; AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics
MediumCVE-2025-70981: n/a
HighCVE-2025-69807: n/a
HighCVE-2025-69806: n/a
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.