CVE-2025-64328 is an OS command injection vulnerability classified under CWE-78 affecting the FreePBX Endpoint Manager module, specifically the filestore component within the administrative interface. The flaw exists in versions 17.0.2.36 through 17.0.3 (exclusive) and is triggered via the testconnection -> check_ssh_connect() function. An authenticated user with valid credentials can exploit this vulnerability by injecting malicious commands that the system executes without proper sanitization or neutralization of special characters. This leads to arbitrary command execution on the underlying operating system with the privileges of the 'asterisk' user, which typically has significant control over the telephony system. The vulnerability does not require additional user interaction and can be exploited remotely over the network. The CVSS v4.0 score of 8.6 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no need for user interaction. The flaw allows attackers to potentially take over telephony endpoints, intercept or manipulate calls, disrupt services, or pivot to other parts of the network. The issue has been addressed in FreePBX version 17.0.3, which includes proper input validation and command sanitization to prevent injection attacks.

For European organizations, this vulnerability poses a significant risk to telephony infrastructure security and operational continuity. FreePBX is widely used in enterprise and service provider environments across Europe for managing VoIP endpoints and call routing. Exploitation could lead to unauthorized access to voice systems, interception or manipulation of calls, disruption of communication services, and potential lateral movement within corporate networks. This could impact confidentiality of sensitive communications, integrity of telephony configurations, and availability of critical voice services. Organizations in sectors such as finance, healthcare, government, and telecommunications are particularly vulnerable due to their reliance on secure and reliable telephony. Additionally, compromised systems could be leveraged for fraud, espionage, or denial of service attacks. The post-authentication requirement limits exposure somewhat but does not eliminate risk, especially in environments with weak credential management or insider threats.

European organizations should immediately upgrade FreePBX Endpoint Manager to version 17.0.3 or later to apply the official patch that fixes the command injection vulnerability. Until patching is possible, restrict access to the administrative interface to trusted networks and users only, employing network segmentation and firewall rules to limit exposure. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Regularly audit user accounts and privileges to ensure only authorized personnel have access to the affected modules. Monitor system logs and network traffic for unusual SSH connection attempts or command execution patterns indicative of exploitation attempts. Employ intrusion detection/prevention systems tuned to detect command injection signatures. Conduct security awareness training to reduce insider threat risks. Finally, maintain up-to-date backups of telephony configurations and system states to enable rapid recovery in case of compromise.