CVE-2025-59429 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, found in the FreePBX open-source GUI used to manage Asterisk telephony systems. The flaw exists in the Asterisk HTTP Status page, which is exposed by default on FreePBX 16 via any bound IP address on port 8088, and on FreePBX 17 it is bound only to localhost by default, reducing attack surface. The vulnerability allows an unauthenticated attacker to inject malicious scripts that execute in the context of an administrative user's browser session. This enables theft of session cookies, which can be used to hijack the admin session. Once the attacker gains admin access, they can access sensitive configuration data, modify system settings, create persistent backdoor accounts, and disrupt telephony services. The vulnerability affects FreePBX versions prior to 16.0.68.39 and versions 17.0.0 up to but not including 17.0.18.38. The issue has been addressed in these patched versions. The CVSS 4.0 base score is 8.5 (high severity), reflecting network attack vector, low complexity, no privileges required, but user interaction needed, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the risk is significant due to the critical nature of telephony infrastructure and administrative access compromise.

For European organizations, the impact of this vulnerability is substantial, especially for those relying on FreePBX for telephony management. Successful exploitation can lead to full administrative takeover of the FreePBX system, enabling attackers to intercept or manipulate voice communications, access sensitive call logs, and disrupt business communications. This can result in operational downtime, loss of confidential information, regulatory non-compliance (e.g., GDPR violations due to data exposure), and reputational damage. Telephony systems are often critical infrastructure in sectors such as finance, healthcare, and government, making this vulnerability a high-value target. The ability to create backdoor accounts further increases the risk of persistent compromise and lateral movement within affected networks. Given the default exposure on FreePBX 16 installations, organizations with less restrictive network configurations are at higher risk. The lack of known exploits in the wild reduces immediate risk but should not lead to complacency.

European organizations should immediately verify their FreePBX version and upgrade to at least 16.0.68.39 or 17.0.18.38 to apply the official patches. For systems where immediate patching is not feasible, network-level mitigations should be implemented, such as restricting access to port 8088 to trusted IP addresses only, or firewalling the Asterisk HTTP Status page to localhost or internal management networks. Administrators should review and harden session management policies, including enforcing secure cookie attributes (HttpOnly, Secure, SameSite) and implementing multi-factor authentication for admin access where possible. Regularly auditing FreePBX logs for suspicious activity and monitoring for unusual session behaviors can help detect exploitation attempts. Additionally, organizations should educate users about the risks of clicking on untrusted links that could trigger reflected XSS attacks. Finally, maintaining an up-to-date inventory of telephony infrastructure and integrating FreePBX patch management into standard IT security processes will reduce future exposure.