CVE-2025-59051 is an OS command injection vulnerability classified under CWE-78, found in the FreePBX Endpoint Manager module's Network Scanning feature. This feature provides web-based access to nmap for network device discovery. In affected versions (Endpoint Manager 16 before 16.0.92 and 17 before 17.0.6), user-supplied input to the network scanning functionality is insufficiently sanitized, allowing an authenticated attacker to inject arbitrary OS commands. The commands execute with the privileges of the 'asterisk' user, which typically runs the telephony services on FreePBX systems. The vulnerability requires authentication with a known username but does not require additional user interaction, making it easier to exploit once credentials are obtained. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and high privileges required (PR:H). The impact on confidentiality, integrity, and availability is high, as attackers can execute arbitrary commands, potentially leading to system compromise, data leakage, or service disruption. The vulnerability was published on October 14, 2025, with no known exploits in the wild at the time of reporting. Mitigation is straightforward by upgrading to patched versions 16.0.92 or 17.0.6 of the Endpoint Manager module.

For European organizations, this vulnerability poses a significant risk to telephony infrastructure security. FreePBX is widely used in enterprise and service provider environments across Europe for VoIP telephony management. Successful exploitation could allow attackers to execute arbitrary commands on the telephony server, potentially leading to interception or manipulation of calls, disruption of communication services, and unauthorized access to sensitive internal networks. This could impact confidentiality of communications, integrity of telephony configurations, and availability of voice services. Given the critical role of telephony in business operations, especially in sectors like finance, healthcare, and government, exploitation could cause operational downtime and reputational damage. Additionally, attackers could pivot from the compromised telephony server to other internal systems, increasing the scope of impact.

European organizations should immediately verify their FreePBX Endpoint Manager module versions and upgrade to version 16.0.92 or 17.0.6 or later. Restrict access to the Endpoint Manager web interface to trusted administrative networks and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Monitor logs for unusual network scanning activity or command execution patterns originating from the Endpoint Manager interface. Implement network segmentation to isolate telephony infrastructure from critical business systems. Regularly audit user accounts with access to the Endpoint Manager module and remove or disable unused accounts. Employ application-layer firewalls or web application firewalls (WAFs) that can detect and block command injection attempts. Finally, maintain an incident response plan specifically addressing telephony system compromises.