CVE-2025-67736 is an SQL injection vulnerability classified under CWE-89 found in the tts (Text to Speech) module of FreePBX, an open-source GUI managing Asterisk telephony systems. This vulnerability affects FreePBX versions prior to 16.0.5 and versions from 17.0.0 up to but not including 17.0.5. The flaw allows authenticated users with administrator access to the Administrator Control Panel (ACP) to inject malicious SQL commands due to improper neutralization of special elements in SQL queries. Exploiting this vulnerability enables attackers to extract sensitive information from the underlying database, such as credentials or configuration data, and execute arbitrary code on the system as the 'asterisk' user. Through chained privilege escalation, attackers can gain root-level access, fully compromising the affected system. The vulnerability does not require user interaction beyond administrator authentication and has a CVSS 4.0 score of 8.6, reflecting high impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the vulnerability poses a significant risk to telephony infrastructure relying on FreePBX. The recommended remediation is to upgrade affected FreePBX installations to versions 16.0.5 or 17.0.5, which include patches addressing this issue.

The exploitation of CVE-2025-67736 can have severe consequences for European organizations using FreePBX in their telephony infrastructure. Attackers with administrator credentials can extract sensitive data, including user credentials, call logs, and configuration details, leading to confidentiality breaches. The ability to execute arbitrary code as the 'asterisk' user and escalate privileges to root allows full system compromise, enabling attackers to disrupt telephony services, intercept or manipulate calls, and potentially pivot to other network segments. Such disruptions can affect business continuity, regulatory compliance (e.g., GDPR), and customer trust. Given the critical role of VoIP systems in communications, the impact extends to operational availability and integrity of communications. Organizations in sectors like finance, healthcare, government, and critical infrastructure are particularly vulnerable due to their reliance on secure and reliable telephony services.

To mitigate this vulnerability, European organizations should immediately upgrade FreePBX installations to version 16.0.5 or 17.0.5 or later, where the SQL injection flaw is patched. Restrict administrator access to the ACP using strong authentication mechanisms, such as multi-factor authentication (MFA), and limit access to trusted networks via VPN or IP whitelisting. Conduct regular audits of administrator accounts and monitor logs for suspicious activities indicative of exploitation attempts. Employ network segmentation to isolate telephony systems from general IT infrastructure, reducing lateral movement risk. Additionally, implement web application firewalls (WAFs) with rules tailored to detect and block SQL injection attempts targeting FreePBX modules. Maintain up-to-date backups of telephony configurations and data to enable rapid recovery in case of compromise. Finally, ensure that all software dependencies and underlying operating systems are regularly patched to minimize attack surface.