CVE-2025-67513 identifies a weakness in the FreePBX Endpoint Manager module, specifically in versions prior to 16.0.96 and between 17.0.1 and 17.0.9, where the default password (app_password) is a six-digit numeric string. This weak password is used by default for various telephony-related administrative functions including extensions, voicemail, user manager, DPMA, or EPM phone admin accounts. Because the password space is limited to 1 million possible combinations and no account lockout or rate limiting is indicated, an attacker can perform a brute force attack remotely over the network without requiring any authentication or user interaction. Successful exploitation could allow attackers to gain unauthorized access to telephony endpoints and administrative functions, potentially enabling call interception, voicemail compromise, or configuration changes. The vulnerability is classified under CWE-521 (Weak Password Requirements) and has a CVSS 4.0 score of 6.9, indicating a medium severity level. No known exploits are currently reported in the wild. The issue is resolved in FreePBX versions 16.0.96 and 17.0.10, where stronger password policies or randomized passwords are presumably enforced.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of telephony communications and administrative controls. Compromise of telephony endpoints could lead to unauthorized call monitoring, toll fraud, voicemail access, or disruption of phone services. Organizations relying on FreePBX for critical communications, especially in sectors such as finance, healthcare, or government, could face operational disruptions and data leakage. The ease of remote exploitation without authentication increases the threat surface, particularly for organizations exposing FreePBX management interfaces to the internet or poorly segmented internal networks. While availability impact is limited, the potential for unauthorized access to sensitive telephony functions can have significant reputational and compliance consequences under regulations like GDPR.

European organizations should immediately verify their FreePBX Endpoint Manager versions and upgrade to 16.0.96 or 17.0.10 or later to remediate the vulnerability. In addition to patching, administrators should enforce strong password policies that require complex, non-numeric passwords for all telephony-related accounts. Network-level protections such as IP whitelisting, VPN access for management interfaces, and rate limiting or account lockout mechanisms should be implemented to reduce brute force attack feasibility. Regular audits of telephony configurations and logs can help detect suspicious access attempts. Organizations should also consider segmenting telephony management interfaces from general user networks and restricting access to trusted personnel only. Monitoring for unusual call patterns or configuration changes can provide early warning of exploitation attempts.