CVE-2025-67736 is a critical SQL injection vulnerability identified in the FreePBX tts (Text to Speech) module, an open-source GUI managing Asterisk telephony systems. The flaw exists in versions prior to 16.0.5 and between 17.0.0 and 17.0.5, allowing authenticated users with administrator privileges to inject malicious SQL commands. This improper neutralization of special elements in SQL commands (CWE-89) enables attackers to extract sensitive data from the backend database and execute arbitrary code on the system as the 'asterisk' user. Through chained privilege escalation, attackers can gain root-level access, compromising the entire system. The vulnerability requires no user interaction beyond admin authentication, making it highly exploitable in environments where administrative credentials are compromised or weakly protected. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no attack or user interaction required, but high privileges needed. The vulnerability affects the security-reporting component of FreePBX, which is integral to telephony management and monitoring. No known exploits are currently in the wild, but the potential impact is severe, including data leakage, system compromise, and disruption of telephony services. The recommended remediation is to upgrade FreePBX to versions 16.0.5 or 17.0.5 where the vulnerability is patched.

For European organizations, this vulnerability poses a significant risk to telephony infrastructure security, particularly those using FreePBX for managing Asterisk-based systems. Exploitation can lead to unauthorized disclosure of sensitive call data, user credentials, and configuration information, undermining confidentiality. The ability to execute code as the 'asterisk' user and escalate to root compromises system integrity and availability, potentially disrupting critical communication services. This can affect enterprises, government agencies, and service providers relying on FreePBX for VoIP and unified communications. The impact extends to regulatory compliance risks under GDPR due to potential data breaches. Telephony service outages can affect business continuity and emergency response capabilities. The vulnerability's exploitation could also serve as a foothold for lateral movement within networks, increasing overall cyber risk exposure.

Organizations should immediately upgrade FreePBX installations to version 16.0.5 or 17.0.5 to apply the official patch. Restrict administrative access to the FreePBX Administrator Control Panel using network segmentation, VPNs, and strong multi-factor authentication to reduce the risk of credential compromise. Regularly audit and monitor administrative activities and database queries for anomalous behavior indicative of SQL injection attempts. Employ web application firewalls (WAFs) with rules tailored to detect and block SQL injection patterns targeting FreePBX modules. Conduct thorough security assessments of telephony infrastructure and implement least privilege principles for all user accounts. Maintain up-to-date backups of configuration and call data to enable rapid recovery in case of compromise. Educate administrators on secure credential management and the risks associated with elevated privileges. Finally, monitor threat intelligence sources for emerging exploits targeting this vulnerability.