CVE-2025-64328 is an OS command injection vulnerability identified in the FreePBX Endpoint Manager module, specifically within the filestore component of the administrative interface. The flaw exists in versions 17.0.2.36 through 17.0.3 (exclusive) and is triggered via the testconnection -> check_ssh_connect() function. This function fails to properly neutralize special characters in inputs, allowing an authenticated user to inject arbitrary operating system commands. Since the attacker must be authenticated, the vulnerability is post-authentication, but no additional user interaction is required. Successful exploitation grants remote command execution with the privileges of the 'asterisk' user, which typically has significant control over the telephony system. This can lead to unauthorized access, data exfiltration, service disruption, or pivoting to other network resources. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and carries a CVSS v4.0 score of 8.6, indicating high severity. The issue was publicly disclosed on November 7, 2025, and is resolved in FreePBX version 17.0.3. No public exploit code or active exploitation has been reported yet, but the vulnerability's nature and ease of exploitation make it a critical concern for affected systems.

For European organizations, this vulnerability poses a significant risk to telephony infrastructure, which is often integral to business operations, customer service, and internal communications. Exploitation could lead to unauthorized remote access, allowing attackers to intercept calls, manipulate telephony configurations, or disrupt services, potentially causing operational downtime and reputational damage. Additionally, attackers gaining a foothold as the 'asterisk' user may escalate privileges or move laterally within the network, threatening broader IT assets. Organizations in sectors relying heavily on VoIP and unified communications—such as finance, healthcare, and government—face heightened risks. The compromise of telephony systems can also facilitate fraud, eavesdropping, and data leakage, impacting confidentiality and integrity. Given the vulnerability requires authentication, insider threats or compromised credentials increase the likelihood of exploitation. The absence of known exploits in the wild provides a window for proactive mitigation but should not reduce urgency.

1. Immediate upgrade of FreePBX Endpoint Manager to version 17.0.3 or later to apply the official fix. 2. Restrict administrative interface access to trusted networks and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3. Monitor logs for unusual activity related to the testconnection and SSH connection attempts, focusing on authenticated users performing unexpected commands. 4. Implement network segmentation to isolate telephony infrastructure from critical business systems, limiting lateral movement in case of compromise. 5. Conduct regular audits of user accounts with access to the administrative interface and revoke unnecessary privileges. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tuned to detect command injection patterns targeting FreePBX. 7. Educate administrators on the risks of this vulnerability and encourage prompt patch management practices. 8. Consider deploying application-layer firewalls or web application firewalls (WAF) that can detect and block injection attempts at the HTTP level.