CVE-2025-64328 is an OS command injection vulnerability classified under CWE-78, found in the FreePBX Endpoint Manager module, specifically within the filestore component of the administrative interface. The vulnerability affects versions 17.0.2.36 through 17.0.3 (exclusive). It arises from improper neutralization of special elements in OS commands within the testconnection -> check_ssh_connect() function. An authenticated user with known credentials can exploit this flaw by injecting malicious commands, which the system executes with the privileges of the 'asterisk' user. This user typically has significant control over telephony services, making the impact severe. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 4.0 score is 8.6 (high), reflecting the ease of exploitation (network vector, low attack complexity, no user interaction) and the high impact on confidentiality, integrity, and availability. The flaw allows attackers to gain unauthorized remote access, potentially leading to full compromise of telephony infrastructure, interception or manipulation of calls, and disruption of communications. The issue was publicly disclosed on November 7, 2025, and fixed in FreePBX version 17.0.3. No known exploits are currently reported in the wild, but the vulnerability's nature and impact warrant immediate attention.

For European organizations, the impact of CVE-2025-64328 is significant due to the widespread use of FreePBX in enterprise telephony systems. Successful exploitation can lead to unauthorized remote access to telephony servers, enabling attackers to intercept, manipulate, or disrupt voice communications. This can compromise sensitive business communications, lead to data leakage, and disrupt critical operations reliant on telephony. The attacker gaining access as the 'asterisk' user could also pivot to other internal systems, escalating the breach's severity. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to their reliance on secure and reliable communication channels. Additionally, telephony service disruptions can impact customer service and operational continuity. Given the vulnerability requires authentication, insider threats or compromised credentials increase the risk. The lack of known exploits in the wild provides a window for proactive mitigation before widespread attacks occur.

European organizations should immediately upgrade FreePBX Endpoint Manager to version 17.0.3 or later to remediate the vulnerability. Until patching is complete, restrict administrative interface access to trusted networks and enforce strict authentication controls, including multi-factor authentication (MFA) to reduce the risk of credential compromise. Monitor logs for unusual SSH connection attempts or command execution patterns indicative of exploitation attempts. Implement network segmentation to isolate telephony infrastructure from general IT networks, limiting lateral movement opportunities. Conduct regular audits of user accounts with access to the administrative interface and revoke unnecessary privileges. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection patterns and anomalous behavior on telephony servers. Finally, maintain an incident response plan tailored to telephony system compromises to enable rapid containment and recovery.