CVE-2025-59056 is a medium-severity vulnerability affecting FreePBX versions 15, 16, and 17 prior to specific patch releases (15.0.38, 16.0.41, and 17.0.21). FreePBX is an open-source web-based graphical user interface widely used for managing Asterisk-based telephony systems. The vulnerability is categorized under CWE-22, which involves improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. This vulnerability allows unauthenticated remote attackers to send malicious requests to the Administrator Control Panel web interface, triggering the uninstall function for certain modules. The uninstall function drops the module's database tables, which store critical configuration data. As a result, exploitation leads to loss of module configurations and potentially disrupts telephony services managed by FreePBX. The CVSS 4.0 score of 6.6 reflects a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges or user interaction required, but with a high impact on availability due to data destruction. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and patched. The flaw arises from insufficient validation or restriction of pathnames within the security-reporting module, enabling attackers to manipulate paths to invoke destructive uninstall operations remotely without authentication.

For European organizations relying on FreePBX for their telephony infrastructure, this vulnerability poses a significant risk to service availability and operational continuity. The forced uninstallation of modules and deletion of their database tables can lead to immediate disruption of telephony services, loss of configuration data, and potential downtime. This can affect internal communications, customer support lines, and emergency response capabilities. Given that FreePBX is often deployed in small to medium enterprises, call centers, and public sector organizations, the impact could extend to critical business functions and public services. Additionally, recovery from such an attack may require restoring backups and reconfiguring modules, incurring operational costs and potential data loss if backups are not current. Although the vulnerability does not directly expose confidentiality or integrity of data, the availability impact alone can be severe, especially in environments where telephony systems are integral to business operations.

European organizations should immediately verify their FreePBX versions and upgrade to the patched releases: 15.0.38 or later for version 15, 16.0.41 or later for version 16, and 17.0.21 or later for version 17. If immediate patching is not feasible, organizations should restrict access to the FreePBX Administrator Control Panel by implementing network-level controls such as IP whitelisting, VPN-only access, or firewall rules to limit exposure to trusted management networks. Additionally, monitoring web server logs for unusual requests targeting the uninstall functionality or unexpected database table drops can provide early detection of exploitation attempts. Regular backups of FreePBX configurations and databases should be maintained and tested for restoration to minimize downtime in case of successful exploitation. Finally, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the security-reporting module.