CVE-2025-55739 is a medium-severity vulnerability affecting the 'api' module of FreePBX, an open-source GUI used to manage Asterisk PBX systems. The vulnerability arises from the use of a hard-coded OAuth private key that is identical across multiple installations of FreePBX RPM or DEB packages in affected versions: all versions below 15.0.13, versions from 16.0.2 up to but not including 16.0.15, and versions 17.0.1 and 17.0.2. This shared private key enables an attacker who obtains it to forge JSON Web Tokens (JWTs), thereby bypassing authentication mechanisms. With forged JWTs, the attacker can gain unauthorized full access to both REST and GraphQL APIs exposed by the FreePBX system. This is particularly critical for systems where the 'api' module is enabled, configured, and previously activated by an administrator for remote inbound connections. The vulnerability stems from CWE-798 (Use of Hard-coded Credentials) and CWE-522 (Insufficiently Protected Credentials). The issue has been addressed in FreePBX versions 15.0.13, 16.0.15, and 17.0.3. The CVSS v4.0 base score is 5.1, reflecting a medium severity level, with attack vector being network-based, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date.

For European organizations using FreePBX systems with the vulnerable 'api' module enabled and exposed to remote inbound connections, this vulnerability poses a significant risk. An attacker exploiting this flaw can bypass authentication controls and gain full API access, potentially allowing them to manipulate telephony configurations, intercept or redirect calls, access sensitive call data, or disrupt PBX services. Such unauthorized access could lead to data breaches involving call logs or customer information, service outages impacting business communications, and potential financial fraud or espionage. Given the critical role of PBX systems in enterprise telephony infrastructure, exploitation could disrupt business operations and damage organizational reputation. The medium CVSS score suggests moderate risk, but the ease of exploitation (no privileges required) and the potential for full API control elevate the threat level. European organizations in sectors relying heavily on telephony, such as finance, healthcare, and government, may face heightened risks. Additionally, organizations with remote-accessible FreePBX APIs are particularly vulnerable, emphasizing the need for immediate remediation.

1. Immediate upgrade to patched FreePBX versions: 15.0.13, 16.0.15, or 17.0.3 to eliminate the hard-coded OAuth key vulnerability. 2. Audit all FreePBX installations to identify versions and check if the 'api' module is enabled and exposed remotely. 3. Restrict network access to the FreePBX API endpoints by implementing firewall rules or VPN access to limit exposure to trusted networks only. 4. Rotate any OAuth keys or tokens associated with the 'api' module post-upgrade to invalidate any potentially compromised credentials. 5. Monitor API access logs for suspicious JWT token usage or anomalous API calls indicative of token forgery attempts. 6. Implement multi-factor authentication (MFA) for administrative access where possible to add an additional security layer. 7. Regularly review and apply security patches for FreePBX and related telephony infrastructure. 8. Conduct penetration testing focused on PBX API endpoints to verify the effectiveness of mitigations and detect any residual vulnerabilities.