CVE-2025-67722: CWE-426: Untrusted Search Path in FreePBX framework
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc.
AI Analysis
Technical Summary
CVE-2025-67722 is a local privilege escalation vulnerability in the FreePBX framework, specifically in its deprecated startup script 'amportal'. FreePBX is an open-source GUI managing Asterisk PBX systems. The vulnerability stems from an untrusted search path issue (CWE-426) where 'amportal' looks for the 'freepbx_engine' executable in the /etc/asterisk/ directory. This directory is typically writable by the 'asterisk' user and group, meaning any user with membership in the 'asterisk' group can place a malicious 'freepbx_engine' file there. When 'amportal' runs, it executes this file with root privileges, thereby allowing privilege escalation from a lower privileged user to root. The vulnerability affects FreePBX framework versions prior to 16.0.45 and between 17.0.0 and 17.0.24. The issue is mitigated in versions 16.0.45 and 17.0.24 and later. Exploitation requires local authenticated access and membership in the 'asterisk' group but does not require user interaction. Additional mitigations include verifying group membership, auditing the /etc/asterisk/ directory for unauthorized files, ensuring the 'live_dangerously' setting in asterisk.conf is set to 'no' (default), and avoiding unsafe dial plan functions that can manipulate the filesystem such as System() and FILE(). No public exploits have been reported to date, but the vulnerability poses a significant risk in environments where multiple users have 'asterisk' group membership.
Potential Impact
This vulnerability allows an authenticated local user with membership in the 'asterisk' group to escalate privileges to root by placing a malicious executable in a writable directory that is trusted and executed by a root-owned startup script. The impact includes full system compromise, allowing attackers to gain complete control over the affected FreePBX server. This can lead to unauthorized access to sensitive telephony data, interception or manipulation of calls, disruption of telephony services, and potential lateral movement within the network. Organizations relying on FreePBX for critical communication infrastructure, especially in enterprise, government, and telecommunication sectors, face significant operational and reputational risks. The vulnerability's exploitation could also facilitate further attacks such as data exfiltration, installation of persistent backdoors, or launching attacks against connected systems. Given the requirement for local authenticated access and group membership, the risk is higher in environments with multiple users or weak internal access controls.
Mitigation Recommendations
1. Upgrade FreePBX framework to version 16.0.45, 17.0.24, or later where the vulnerability is fixed. 2. Restrict membership of the 'asterisk' group strictly to trusted system administrators and service accounts; remove unnecessary users. 3. Regularly audit the /etc/asterisk/ directory for unauthorized or suspicious files, especially any 'freepbx_engine' files. 4. Verify that the 'live_dangerously' setting in /etc/asterisk/asterisk.conf is set to 'no' or left unconfigured (default is 'no') to prevent unsafe operations. 5. Avoid or carefully review custom dial plan applications and functions that can manipulate the filesystem, such as System(), FILE(), and similar calls, to reduce attack surface. 6. Implement strict local access controls and monitoring to detect unauthorized group membership changes or file modifications. 7. Consider disabling or removing the deprecated 'amportal' script if it is no longer required. 8. Employ host-based intrusion detection systems (HIDS) to monitor critical directories and binaries for unauthorized changes. 9. Educate administrators on the risks of untrusted search paths and the importance of secure file permissions in telephony systems.
Affected Countries
United States, Germany, United Kingdom, France, India, Brazil, Australia, Canada, Japan, Netherlands, Italy, Spain
CVE-2025-67722: CWE-426: Untrusted Search Path in FreePBX framework
Description
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-67722 is a local privilege escalation vulnerability in the FreePBX framework, specifically in its deprecated startup script 'amportal'. FreePBX is an open-source GUI managing Asterisk PBX systems. The vulnerability stems from an untrusted search path issue (CWE-426) where 'amportal' looks for the 'freepbx_engine' executable in the /etc/asterisk/ directory. This directory is typically writable by the 'asterisk' user and group, meaning any user with membership in the 'asterisk' group can place a malicious 'freepbx_engine' file there. When 'amportal' runs, it executes this file with root privileges, thereby allowing privilege escalation from a lower privileged user to root. The vulnerability affects FreePBX framework versions prior to 16.0.45 and between 17.0.0 and 17.0.24. The issue is mitigated in versions 16.0.45 and 17.0.24 and later. Exploitation requires local authenticated access and membership in the 'asterisk' group but does not require user interaction. Additional mitigations include verifying group membership, auditing the /etc/asterisk/ directory for unauthorized files, ensuring the 'live_dangerously' setting in asterisk.conf is set to 'no' (default), and avoiding unsafe dial plan functions that can manipulate the filesystem such as System() and FILE(). No public exploits have been reported to date, but the vulnerability poses a significant risk in environments where multiple users have 'asterisk' group membership.
Potential Impact
This vulnerability allows an authenticated local user with membership in the 'asterisk' group to escalate privileges to root by placing a malicious executable in a writable directory that is trusted and executed by a root-owned startup script. The impact includes full system compromise, allowing attackers to gain complete control over the affected FreePBX server. This can lead to unauthorized access to sensitive telephony data, interception or manipulation of calls, disruption of telephony services, and potential lateral movement within the network. Organizations relying on FreePBX for critical communication infrastructure, especially in enterprise, government, and telecommunication sectors, face significant operational and reputational risks. The vulnerability's exploitation could also facilitate further attacks such as data exfiltration, installation of persistent backdoors, or launching attacks against connected systems. Given the requirement for local authenticated access and group membership, the risk is higher in environments with multiple users or weak internal access controls.
Mitigation Recommendations
1. Upgrade FreePBX framework to version 16.0.45, 17.0.24, or later where the vulnerability is fixed. 2. Restrict membership of the 'asterisk' group strictly to trusted system administrators and service accounts; remove unnecessary users. 3. Regularly audit the /etc/asterisk/ directory for unauthorized or suspicious files, especially any 'freepbx_engine' files. 4. Verify that the 'live_dangerously' setting in /etc/asterisk/asterisk.conf is set to 'no' or left unconfigured (default is 'no') to prevent unsafe operations. 5. Avoid or carefully review custom dial plan applications and functions that can manipulate the filesystem, such as System(), FILE(), and similar calls, to reduce attack surface. 6. Implement strict local access controls and monitoring to detect unauthorized group membership changes or file modifications. 7. Consider disabling or removing the deprecated 'amportal' script if it is no longer required. 8. Employ host-based intrusion detection systems (HIDS) to monitor critical directories and binaries for unauthorized changes. 9. Educate administrators on the risks of untrusted search paths and the importance of secure file permissions in telephony systems.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-10T18:46:14.763Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6940abb2d9bcdf3f3d143150
Added to database: 12/16/2025, 12:45:38 AM
Last enriched: 3/1/2026, 12:30:07 AM
Last updated: 3/25/2026, 4:50:06 AM
Views: 146
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.