CVE-2025-59429 is a reflected cross-site scripting vulnerability classified under CWE-79, found in the FreePBX core management interface for Asterisk PBX systems. The vulnerability exists in the Asterisk HTTP Status page, which improperly neutralizes user input during web page generation, allowing malicious scripts to be injected and executed in the context of an administrative user's browser. In FreePBX 16, this page is exposed by default on all bound IP addresses at port 8088, making it accessible to remote attackers. In FreePBX 17, the page is bound only to localhost by default, reducing exposure but not eliminating risk if local access is compromised. Exploitation requires no authentication and no user interaction beyond the victim visiting a crafted URL, enabling attackers to steal session cookies from logged-in administrators. With stolen cookies, attackers can hijack admin sessions, gaining full control over the FreePBX interface. This control allows attackers to access sensitive telephony data, alter system configurations, create persistent backdoor accounts, and disrupt telephony services. The vulnerability has been addressed in FreePBX versions 16.0.68.39 and 17.0.18.38. No known exploits are currently reported in the wild, but the high CVSS score of 8.5 reflects the significant risk posed by this flaw due to its ease of exploitation and potential impact.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of telephony infrastructure managed via FreePBX. Successful exploitation can lead to unauthorized administrative access, exposing sensitive call data and internal communications. Attackers could modify system configurations, potentially intercepting or redirecting calls, creating backdoors for persistent access, or causing denial of service by disrupting telephony operations. Given the critical role of telephony in business communications, such disruptions could impact operational continuity and compliance with data protection regulations like GDPR. Organizations in sectors relying heavily on telephony, such as finance, healthcare, and government, face heightened risks. The default exposure of the vulnerable interface on network-facing IPs in FreePBX 16 increases the attack surface, especially in environments where network segmentation or firewalling is insufficient. Even in FreePBX 17, local exposure could be exploited via compromised internal hosts or malicious insiders. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

European organizations should immediately upgrade FreePBX core to versions 16.0.68.39 or 17.0.18.38 or later to apply the official patch. Until patching is complete, restrict network access to port 8088, especially from untrusted networks, by implementing firewall rules or network segmentation to limit exposure of the Asterisk HTTP Status page. For FreePBX 16 installations, consider binding the HTTP Status page to localhost or trusted IP addresses only, mimicking the default behavior of FreePBX 17. Employ web application firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the status page. Monitor administrative sessions for unusual activity and implement multi-factor authentication (MFA) for FreePBX admin accounts to reduce the impact of session hijacking. Regularly audit FreePBX logs and configurations for unauthorized changes or new accounts. Educate administrators about phishing and social engineering risks that could facilitate exploitation. Finally, maintain an up-to-date inventory of FreePBX deployments and ensure timely application of security updates.