FreePBX, an open-source web GUI managing Asterisk PBX systems, contains a privilege escalation vulnerability (CVE-2025-55210) in its API module prior to versions 17.0.5 and 16.0.17. The vulnerability stems from a privilege context switching error (CWE-270) that allows authenticated users with REST or GraphQL API access to forge JSON Web Tokens (JWTs) signed with the api-oauth.key private key. Possession of this private key enables attackers to create tokens with arbitrary scopes, such as full REST and GraphQL API access, effectively bypassing normal authorization controls. However, FreePBX enforces that the JWT ID (jti) claim must correspond to an existing token entry in the api_access_tokens table within the Asterisk MySQL database, requiring attackers to know a valid jti value on the target system. This constraint reduces the ease of exploitation, as attackers must have prior access or knowledge of valid token identifiers. The vulnerability allows privilege escalation from lower-privileged authenticated users to full API access, potentially enabling unauthorized configuration changes or information disclosure. No public exploits have been reported to date. The issue is resolved in FreePBX versions 17.0.5 and 16.0.17 by correcting the privilege context handling and token validation mechanisms. The CVSS 4.0 vector indicates network attack vector, high attack complexity, partial authentication, and limited confidentiality and integrity impact, resulting in a low severity rating.

The vulnerability enables authenticated users with limited API access to escalate privileges and gain full control over FreePBX's REST and GraphQL APIs. This can lead to unauthorized configuration changes, exposure of sensitive telephony data, and potential disruption of PBX services. Organizations relying on FreePBX for telephony infrastructure risk compromise of call routing, voicemail, and other critical communications functions. Although exploitation requires some prior access and knowledge, successful attacks could undermine the confidentiality and integrity of telephony systems, impacting business operations and privacy. The limited ease of exploitation and requirement for valid JWT IDs reduce widespread risk, but targeted attacks against organizations with exposed or poorly secured FreePBX instances remain a concern. No known exploits in the wild currently limit immediate widespread impact, but unpatched systems remain vulnerable.

Organizations should immediately upgrade FreePBX installations to versions 17.0.5 or 16.0.17 or later to apply the official fix. In addition, restrict access to the FreePBX API by implementing strong network segmentation and firewall rules to limit API access only to trusted hosts and users. Rotate and securely store the api-oauth.key private key to prevent unauthorized token generation. Audit and monitor API access logs for unusual token usage or privilege escalation attempts. Implement strict database access controls to protect the api_access_tokens table and prevent leakage of valid jti values. Employ multi-factor authentication for API users to reduce the risk of credential compromise. Regularly review and minimize API scopes granted to users to follow the principle of least privilege. Finally, conduct penetration testing and vulnerability assessments focused on FreePBX API security to identify and remediate any residual weaknesses.