CVE-2025-64328 HIGH

CVE-2025-64328: FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

Vendor Freepbx

Product filestore

Weakness CWE-78

KEV Status Known Exploited

Published November 7, 2025

Last update February 13, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

November 7, 2025 CVE published

February 13, 2026 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64328 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html CISA KEV Reference https://github.com/FreePBX/security-reporting/security/advisor… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2025-64328

Related vulnerabilities

CVE-2025-64328: FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE