🔴 CVE-2025-64328

FreePBX Administration GUI contains an authenticated OS command injection vulnerability that allows attackers to execute arbitrary commands on the system. This vulnerability is actively exploited in the wild and listed in CISA KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
8.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-11-07

Added to CISA KEV: 2026-02-03 88 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-02-05)

CVE-2025-64328 is an OS command injection vulnerability affecting Sangoma FreePBX Endpoint Manager [2][5].

Here's what is known about its exploitation:

  • Internet-Facing Applications/Services: The vulnerability exists within the FreePBX Endpoint Manager's administrative interface, specifically in the `testconnection -> check_ssh_connect()` function of the Filestore module [1][2]. While not explicitly stated as internet-facing, FreePBX systems are often used for communication services and can be exposed to the internet.
  • Evidence of Active Exploitation: There is clear evidence of active exploitation. CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) Catalog on February 3, 2026, based on evidence of active exploitation [2][5]. Reports indicate that threat actors have been exploiting this vulnerability since early December 2025 [6].
  • Attack Vectors and Exploitation Methods: The vulnerability allows for post-authentication command injection by an authenticated user [1][2]. Attackers can leverage this to gain remote access to the system as an asterisk user [1]. It has been used to deploy a weaponized web shell called EncystPHP, enabling Remote Code Execution (RCE), privileged user access, SSH key injection, and cron persistence [3][7].
  • Targeted Attacks: Evidence suggests targeted attacks. One incident involved a web shell delivered via CVE-2025-64328, originating from Brazil and targeting a victim in India managed by a cloud solutions and IT infrastructure company [3].
  • CISA Known Exploited Vulnerabilities Status: CVE-2025-64328 is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog [2][5]. This means CISA has confirmed evidence of its exploitation in the wild and requires U.S. federal agencies to apply available vendor patches or mitigations by a specific deadline.
  • Technical Details about Internet Exploitability: The vulnerability requires authentication to be exploited, meaning an attacker must first gain access to a legitimate user account on the FreePBX system [1][2]. Once authenticated, the attacker can inject OS commands through the vulnerable function. The Exploit Prediction Scoring System (EPSS) indicated an 11.03% probability of exploitation activity in the 30 days prior to November 7, 2025 [4]. The vulnerability is fixed in version 17.0.3 of FreePBX Endpoint Manager [1].

Sources

  1. CVE-2025-64328 Security Vulnerability & Exploit Details

    CVE-2025-64328 Vulnerability Analysis & Exploit Details.CVE-2025-64328: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentica…

  2. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. ... https://www.solarwinds.com/trust-c…

  3. Unveiling the Weaponized Web Shell EncystPHP

    Incidents The web shell was delivered via CVE-2025-64328, a post-authentication command-injection vulnerability in the administrative interface of the FreePBX Endpoint Manager. The exploit originated from Brazil and targeted a victim environment managed by an Indian technology company specializing i…

  4. CVE-2025-64328 : FreePBX Endpoint Manager is a module for managing ...

    Exploit prediction scoring system (EPSS) score for CVE-2025-64328 EPSS FAQ 11.03% Probability of exploitation activity in the next 30 days EPSS Score History…

  5. CISA Adds Four Known Exploited Vulnerabilities to Catalog

    CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2019-19006…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed