CVE-2025-64328 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-11-07

Added to CISA KEV: 2026-02-03 88 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity, scan for EncystPHP web shells
IMMEDIATE: Update FreePBX security-reporting module to version 17.0.3 or later
URGENT: Review all user accounts and authentication logs for unauthorized access
Monitor for suspicious SSH connections, cron jobs, and web shell activities
Consider restricting administrative interface access to trusted networks only
Priority: CRITICAL - Patch immediately due to confirmed active exploitation

🔍 Web Intelligence

Key Sources:

CVE-2025-64328 Security Vulnerability & Exploit Details
CVE-2025-64328 Vulnerability Analysis & Exploit Details.CVE-2025-64328: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
Known Exploited Vulnerabilities Catalog - CISA
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. ... https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40551 ; https://nvd ... https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw ; https://nvd.nist.gov/vuln/detail/CVE-2025-64328
Unveiling the Weaponized Web Shell EncystPHP
Incidents The web shell was delivered via CVE-2025-64328, a post-authentication command-injection vulnerability in the administrative interface of the FreePBX Endpoint Manager. The exploit originated from Brazil and targeted a victim environment managed by an Indian technology company specializing in cloud solutions, communication services, and IT infrastructure.
CVE-2025-64328 : FreePBX Endpoint Manager is a module for managing ...
Exploit prediction scoring system (EPSS) score for CVE-2025-64328 EPSS FAQ 11.03% Probability of exploitation activity in the next 30 days EPSS Score History
CISA Adds Four Known Exploited Vulnerabilities to Catalog
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2019-19006

🔴 CVE-2025-64328

📋 Vulnerability Details

🎯 Recommendations:

🔍 Web Intelligence

Key Sources: