CVE-2025-67513 identifies a weakness in the FreePBX Endpoint Manager module, which is widely used to manage telephony endpoints in FreePBX systems. The vulnerability stems from the default configuration of the app_password parameter, which is set to a 6-digit numeric password. Such a password space (1 million possibilities) is susceptible to brute force attacks, especially since no authentication or user interaction is required to attempt guesses. The app_password controls access to critical telephony components including extensions, voicemail, user manager, DPMA, or EPM phone admin passwords depending on local configuration, thereby potentially granting an attacker unauthorized administrative control over telephony endpoints. The affected versions are all releases prior to 16.0.96 and versions from 17.0.1 up to but not including 17.0.10. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting its network attack vector, low attack complexity, and no required privileges or user interaction. Although no known exploits are currently reported in the wild, the ease of brute forcing weak numeric passwords makes this a significant risk. The issue was addressed by FreePBX in versions 16.0.96 and 17.0.10 by presumably enforcing stronger default passwords or allowing administrators to set more secure credentials.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to telephony systems, allowing attackers to intercept calls, manipulate voicemail, or disrupt telephony services. This could result in confidentiality breaches of sensitive communications, integrity violations through unauthorized configuration changes, and availability impacts if telephony endpoints are disabled or misconfigured. Organizations relying on FreePBX for critical communication infrastructure, especially in sectors like finance, healthcare, and government, face elevated risks. Additionally, compromised telephony systems could be leveraged for further attacks such as social engineering or fraud. The medium severity rating reflects the balance between the ease of exploitation and the scope of impact, but the lack of authentication requirements and the critical nature of telephony systems amplify the potential damage.

European organizations should immediately verify their FreePBX Endpoint Manager versions and upgrade to 16.0.96 or 17.0.10 or later. Beyond patching, administrators must enforce strong password policies, replacing any default or weak numeric passwords with complex alphanumeric passwords of sufficient length. Implement rate limiting or account lockout mechanisms on authentication attempts to mitigate brute force attacks. Network segmentation should isolate telephony management interfaces from public or untrusted networks. Monitoring and logging of authentication attempts on the Endpoint Manager should be enabled to detect suspicious activity. Additionally, organizations should conduct regular audits of telephony configurations and credentials, and educate staff on the risks associated with weak telephony passwords. Where feasible, multi-factor authentication should be implemented for administrative access to telephony management systems.