CVE-2025-64328 is an OS command injection vulnerability classified under CWE-78, affecting the filestore module within the FreePBX Endpoint Manager administrative interface. Specifically, versions 17.0.2.36 through 17.0.3 (exclusive) contain a flaw in the testconnection -> check_ssh_connect() function, which improperly neutralizes special characters in user-supplied input. This improper sanitization allows an authenticated user to inject arbitrary OS commands that are executed with the privileges of the 'asterisk' user on the underlying system. The vulnerability requires authentication but no additional user interaction or elevated privileges beyond a known user account. Successful exploitation can lead to remote code execution, enabling attackers to gain control over the telephony system, manipulate call routing, intercept communications, or pivot to other internal network resources. The issue was publicly disclosed on November 7, 2025, with a CVSS v4.0 score of 8.6, indicating high severity. The vendor addressed the vulnerability in FreePBX version 17.0.3. No known active exploits have been reported to date, but the potential impact on telephony infrastructure is significant given FreePBX's widespread use in enterprise and service provider environments.

The impact of CVE-2025-64328 is substantial for organizations relying on FreePBX for telephony management. Exploitation allows attackers to execute arbitrary commands as the 'asterisk' user, which typically has extensive control over telephony functions and potentially underlying system resources. This can lead to unauthorized call interception, manipulation of call routing, disruption of telephony services, and potential lateral movement within the network. Given FreePBX's deployment in many enterprises, call centers, and service providers worldwide, a successful attack could result in significant operational disruption, data breaches involving call metadata or recordings, and reputational damage. The vulnerability's post-authentication nature means that attackers who have compromised or obtained valid user credentials can escalate their access to full system control. This elevates the risk in environments where user credentials are weak, reused, or exposed through phishing or insider threats. The absence of known exploits in the wild currently provides a window for remediation, but the high severity score underscores the urgency of patching.

Organizations should immediately upgrade FreePBX Endpoint Manager to version 17.0.3 or later, where this vulnerability is patched. Until patching is possible, restrict access to the FreePBX administrative interface to trusted networks and users only, employing network segmentation and firewall rules to limit exposure. Implement strong authentication controls, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Regularly audit user accounts and permissions to ensure that only necessary users have access to the administrative interface. Monitor system and application logs for unusual activity, especially commands executed by the 'asterisk' user or unexpected SSH connection attempts. Consider deploying host-based intrusion detection systems (HIDS) to detect anomalous command execution. Educate users about phishing and credential security to prevent initial account compromise. Finally, maintain up-to-date backups of telephony configurations and system states to enable rapid recovery in case of compromise.