CVE-2025-67513 identifies a weakness in the FreePBX Endpoint Manager module's password policy, specifically the app_password parameter, which defaults to a 6-digit numeric password in versions prior to 16.0.96 and between 17.0.1 and 17.0.9. This password is used for administrative access to telephony endpoints, including extensions, voicemail, user manager, DPMA, or EPM phone admin functions. Because the password is short and numeric, it is susceptible to brute force attacks without requiring any authentication or user interaction. The vulnerability allows an attacker with network access to repeatedly attempt password guesses until successful, potentially gaining control over telephony endpoints. Such control can lead to unauthorized call monitoring, call manipulation, or denial of telephony services. The vulnerability is rated with a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, no privileges or user interaction required, and low complexity. No known exploits are currently reported in the wild. The issue is resolved in FreePBX versions 16.0.96 and 17.0.10, where stronger password policies or randomized defaults are presumably enforced.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of telephony communications. Compromise of telephony endpoints can lead to eavesdropping on sensitive conversations, unauthorized call forwarding or toll fraud, and disruption of business communications. Organizations relying on FreePBX for internal or customer-facing telephony services may experience operational disruptions or reputational damage if exploited. Given the widespread use of FreePBX in small to medium enterprises and call centers across Europe, especially in sectors like finance, healthcare, and government, the impact could be substantial. Additionally, telephony systems often integrate with other IT infrastructure, so compromise could serve as a pivot point for broader network intrusion. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation if systems remain unpatched.

European organizations should immediately verify their FreePBX Endpoint Manager versions and upgrade to 16.0.96 or 17.0.10 or later to remediate the vulnerability. Where immediate patching is not feasible, administrators should manually change default passwords to strong, complex values exceeding six digits and including alphanumeric and special characters. Implement network-level protections such as IP whitelisting or VPN access to restrict management interface exposure. Employ rate limiting and account lockout mechanisms to prevent brute force attempts. Regularly audit telephony system logs for suspicious login attempts or anomalies. Additionally, segment telephony infrastructure from general IT networks to limit lateral movement. Educate staff on the risks of weak telephony credentials and enforce strong password policies across all telephony-related accounts. Finally, monitor vendor advisories for any emerging exploit reports or additional patches.