CVE-2025-67722 is a vulnerability in FreePBX, an open-source GUI managing Asterisk telephony systems, affecting versions prior to 16.0.45 and 17.0.24. The flaw resides in the deprecated amportal startup script, which performs a lookup for the freepbx_engine executable in the /etc/asterisk/ directory. This directory is typically writable by the asterisk user and any members of the asterisk group. An authenticated user with membership in this group can place a malicious freepbx_engine file in /etc/asterisk/. When amportal executes, it runs this file with root privileges, enabling local privilege escalation from asterisk group user to root. The vulnerability is classified under CWE-426 (Untrusted Search Path), as the script does not securely specify the executable path, allowing a malicious file to be executed instead of the legitimate one. Exploitation requires local access and membership in the asterisk group but does not require additional user interaction or elevated privileges beyond group membership. The vulnerability was addressed in FreePBX versions 16.0.45 and 17.0.24 by correcting the search path and execution method. Additional mitigations include restricting asterisk group membership to trusted users only, auditing the /etc/asterisk/ directory for unauthorized files, ensuring the live_dangerously setting in asterisk.conf is set to no (default), and avoiding unsafe dial plan applications that can manipulate the filesystem, such as System() or FILE(). No known exploits are reported in the wild as of the publication date. The CVSS v4.0 base score is 5.7, indicating medium severity due to the requirement of local privileges and limited scope of affected systems.

For European organizations, especially those operating VoIP infrastructure or telephony systems using FreePBX, this vulnerability poses a significant risk of local privilege escalation. An attacker with local access and membership in the asterisk group could gain root privileges, potentially leading to full system compromise, unauthorized access to sensitive communications, and disruption of telephony services. This could impact confidentiality, integrity, and availability of critical communication infrastructure. Given the widespread use of FreePBX in enterprise and service provider environments, exploitation could facilitate lateral movement within networks or persistent footholds. The impact is heightened in regulated sectors such as finance, healthcare, and government, where telephony systems are integral to operations and compliance requirements are strict. Although exploitation requires local access, insider threats or attackers leveraging other vulnerabilities to gain initial access could escalate privileges via this flaw. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, emphasizing the need for proactive remediation.

1. Upgrade FreePBX installations to versions 16.0.45 or 17.0.24 or later, where the vulnerability is fixed. 2. Restrict membership of the asterisk group strictly to trusted system administrators and service accounts; audit group membership regularly. 3. Perform thorough inspections of the /etc/asterisk/ directory to detect and remove any unauthorized or suspicious files, especially freepbx_engine. 4. Verify that the live_dangerously parameter in /etc/asterisk/asterisk.conf is set to no or left unconfigured (default no) to prevent unsafe operations. 5. Avoid or carefully control the use of dial plan applications and functions that can execute system commands or manipulate the filesystem, such as System() and FILE(). 6. Implement strict file system permissions on /etc/asterisk/ to prevent unauthorized write access. 7. Monitor system logs and FreePBX audit logs for unusual activity related to amportal execution or file modifications in /etc/asterisk/. 8. Employ host-based intrusion detection systems (HIDS) to alert on unexpected file creations or executions in critical directories. 9. Educate administrators and operators about the risks of deprecated utilities like amportal and encourage migration to supported management tools. 10. Consider network segmentation and access controls to limit local access to FreePBX servers.