The vulnerability identified as CVE-2025-67736 affects the FreePBX tts module, which is part of the FreePBX open-source GUI managing Asterisk telephony systems. It is classified as CWE-89, indicating improper neutralization of special elements in SQL commands, commonly known as SQL injection. The flaw exists in versions prior to 16.0.5 and between 17.0.0 and 17.0.5, allowing authenticated administrators to inject malicious SQL queries. Exploitation enables attackers to extract sensitive database information and execute arbitrary code on the server with the privileges of the 'asterisk' user. This can be escalated to root privileges through chained exploits, severely compromising system integrity and availability. The vulnerability does not require user interaction and can be exploited remotely over the network, given administrative access. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no attack or user interaction needed, but requiring high privileges. No public exploits have been reported yet, but the potential impact is critical for affected deployments. The recommended remediation is upgrading to patched versions 16.0.5 or 17.0.5.

This vulnerability poses a severe risk to organizations using FreePBX for telephony management, especially those exposing the administrative interface to internal or external networks. Successful exploitation can lead to unauthorized disclosure of sensitive data, including call records, user credentials, and configuration details. The ability to execute code as the 'asterisk' user and escalate to root privileges can result in full system compromise, allowing attackers to disrupt telephony services, intercept or manipulate calls, and pivot to other internal systems. This can cause significant operational downtime, data breaches, and reputational damage. Given FreePBX's widespread use in enterprises, call centers, and government agencies, the impact can be extensive, affecting confidentiality, integrity, and availability of critical communication infrastructure.

Organizations should immediately verify their FreePBX tts module version and upgrade to version 16.0.5 or 17.0.5 as applicable. Restrict administrative access to the FreePBX GUI using network segmentation, VPNs, or IP whitelisting to minimize exposure. Implement strong authentication mechanisms and monitor administrative activities for suspicious behavior. Regularly audit and harden the underlying operating system and Asterisk configurations to limit privilege escalation opportunities. Employ web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting FreePBX interfaces. Conduct thorough post-patch testing to ensure no residual vulnerabilities remain. Maintain up-to-date backups of configuration and call data to enable recovery in case of compromise. Finally, monitor threat intelligence sources for any emerging exploit code or attack campaigns related to this CVE.