CVE-2025-62173 is an authenticated SQL Injection vulnerability identified in the FreePBX restapps module, specifically within its REST API endpoint. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), allowing an attacker with authenticated access and high privileges to inject arbitrary SQL queries. This can lead to unauthorized data access, modification, or corruption within the underlying database that FreePBX uses to manage telephony configurations and call routing. The affected versions include all releases prior to 16.0.41 and versions from 17.0.0 up to but not including 17.0.6. The CVSS 4.0 base score is 8.6, reflecting a high severity due to network attack vector, low attack complexity, no user interaction, and high impact on confidentiality and integrity, though availability impact is low. The vulnerability does not require user interaction but does require high-level privileges, meaning attackers must already have authenticated access to the system. No public exploits have been reported yet, but the presence of this vulnerability in a critical telephony management system poses a significant risk. The flaw could be exploited to extract sensitive call data, alter configurations, or disrupt service indirectly by corrupting database entries. The lack of patch links suggests that remediation may require upgrading to versions 16.0.41 or above 17.0.6 once available or applying vendor-provided fixes. Given the critical role of FreePBX in enterprise telephony, this vulnerability demands urgent attention.

For European organizations, the impact of CVE-2025-62173 is substantial due to the widespread use of FreePBX in enterprise telephony systems across various sectors including government, finance, healthcare, and telecommunications. Exploitation could lead to unauthorized disclosure of sensitive call records, internal communication metadata, or configuration details, undermining confidentiality. Integrity of telephony configurations could be compromised, potentially enabling call interception, fraud, or denial of service through misconfiguration. Although availability impact is rated low, indirect service disruptions could occur if database corruption affects call routing or system stability. Given the critical nature of voice communications in business operations and regulatory requirements around data protection (e.g., GDPR), exploitation could result in compliance violations, financial losses, and reputational damage. The requirement for authenticated access limits exposure to insider threats or attackers who have already compromised credentials, but the ease of exploitation (low complexity) and network accessibility of the REST API increase risk. Organizations relying on FreePBX for unified communications should consider this vulnerability a high priority to mitigate.

1. Upgrade FreePBX restapps to version 16.0.41 or later, or to versions above 17.0.6 once available, as these contain fixes for the vulnerability. 2. If immediate upgrade is not feasible, restrict access to the REST API endpoints by implementing network segmentation and firewall rules to limit access only to trusted administrators and management systems. 3. Enforce strong authentication and authorization controls to ensure only legitimate users with necessary privileges can access the REST API. 4. Implement input validation and sanitization at the application level where possible to prevent injection of malicious SQL commands. 5. Monitor logs for unusual or suspicious API activity that could indicate attempted exploitation. 6. Conduct regular security audits and penetration testing focused on telephony infrastructure to detect potential weaknesses. 7. Educate administrators on the risks of SQL injection and the importance of credential security to reduce insider threat risks. 8. Maintain up-to-date backups of telephony configuration and database to enable rapid recovery in case of compromise.