CVE-2025-67722 is a local privilege escalation vulnerability in FreePBX, an open-source GUI managing Asterisk telephony systems. The flaw exists in the deprecated amportal startup script, which looks for the freepbx_engine executable in the /etc/asterisk/ directory. This directory is typically writable by the asterisk user and group, allowing any member of the asterisk group to place a malicious freepbx_engine file. When amportal runs, it executes this file with root privileges, effectively escalating privileges from a non-root user to root. The vulnerability affects FreePBX versions prior to 16.0.45 and between 17.0.0 and 17.0.24, where the issue has been fixed. Exploitation requires authenticated local access and group membership but no additional user interaction. The vulnerability is classified under CWE-426 (Untrusted Search Path), highlighting the risk of executing files from writable directories without proper path validation. The CVSS 4.0 score is 5.7 (medium severity), reflecting the local attack vector, required privileges, and high impact on confidentiality, integrity, and availability. Mitigation involves upgrading FreePBX to patched versions, restricting asterisk group membership to trusted users only, auditing the /etc/asterisk/ directory for unauthorized files, ensuring the live_dangerously setting is disabled (default no), and avoiding unsafe dial plan applications that can manipulate the filesystem such as System() or FILE(). No known exploits are reported in the wild yet, but the potential for root compromise makes this a significant risk for affected systems.

For European organizations, this vulnerability poses a significant risk to the security of VoIP and telephony infrastructures relying on FreePBX. Successful exploitation allows an attacker with authenticated local access and asterisk group membership to gain root privileges, potentially leading to full system compromise. This could result in unauthorized call interception, manipulation of telephony services, disruption of communications, and lateral movement within the network. Confidentiality of sensitive communications and integrity of telephony configurations can be severely impacted. Availability of telephony services may also be disrupted by malicious actions or system instability caused by the exploit. Given the critical role of telephony in business operations, especially in sectors like finance, healthcare, and government, the impact can extend to regulatory non-compliance and reputational damage. The requirement for local access and group membership limits the attack surface but insider threats or compromised user accounts increase risk. Organizations with remote access to FreePBX management interfaces or weak internal controls are particularly vulnerable.

1. Upgrade FreePBX installations to version 16.0.45, 17.0.24, or later where the vulnerability is patched. 2. Restrict membership of the asterisk group strictly to trusted system administrators and service accounts; regularly audit group membership. 3. Conduct thorough inspections of the /etc/asterisk/ directory to detect and remove any unauthorized or suspicious freepbx_engine files or other executables. 4. Verify that the live_dangerously setting in /etc/asterisk/asterisk.conf is set to no or left unconfigured (default no) to prevent unsafe operations. 5. Review and eliminate any custom dial plan applications or functions that allow filesystem manipulation, such as System() or FILE(), to reduce attack vectors. 6. Implement strict access controls and monitoring on FreePBX management interfaces to prevent unauthorized local access. 7. Employ host-based intrusion detection systems to alert on unexpected file creations or executions in /etc/asterisk/. 8. Educate administrators about the risks of deprecated utilities like amportal and encourage migration to supported management tools. 9. Maintain regular backups of telephony configurations and system states to enable recovery in case of compromise. 10. Monitor security advisories for any emerging exploits or additional patches related to this vulnerability.