cbcvebase.
CVE-2025-64328
published 2025-11-07

CVE-2025-64328: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module…

PriorityP188high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-24
Exploited in the wild
EPSS
84.42%
99.7th percentile
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

Affected

2 ranges
VendorProductVersion rangeFixed in
freepbxfilestore
sangomafirestore>= 17.0.2.36 < 17.0.317.0.3

Detection & IOCsextracted from sources · hover to see the quote

ip45.234.176.202
domaincrm.razatelefonia.pro
urlhttp://45.234.176.202/new/k.php
path/var/www/html/rest_phones/ajax.php
path/var/www/html/admin/modules/core/ajax.php
path/var/www/html/admin/assets/js/config.php
path/var/www/html/admin/views/.htaccess
path/var/www/html/admin/modules/freepbx_ha/license.php
path/var/lib/asterisk/bin/zen2
path/var/lib/asterisk/bin/devnull2
path/var/lib/asterisk/bin/devnull
path/var/spool/asterisk/tmp/serv
path/var/spool/asterisk/tmp/test.sh
path/etc/freepbx.conf
commanduseradd -s /bin/bash -ou 0 -g 0 -p '$1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1' newfpbx &>/dev/null
commandtouch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php
url{{BaseURL}}/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user={{prefix}}&port=22&key={{prefix}}`{{cmd}}`&path={{prefix}}
path/admin/modules/filestore/drivers/SSH/testconnection.php
commandexec("ssh-keygen -t ecdsa -b 521 -f $key -N \"\" && chown asterisk:asterisk $key && chmod 600 $key");
otherhttp.favicon.hash:-1908328911
otherhttp.favicon.hash:1574423538
filenameajax.php
filenamek.php
  • Exploit request targets /admin/ajax.php with module=filestore&command=testconnection&driver=SSH and injects shell command substitution (backtick or $()) into the 'key' parameter
  • Look for unexpected ajax.php files in non-standard FreePBX paths such as /var/www/html/digium_phones/, /var/www/html/phones/, /var/www/html/fpbxphones/, /var/www/html/freepbxphones/, /var/www/html/freepbx/, and /var/www/html/admin/assets/ — these are web shell deployment locations used by EncystPHP
  • Detect creation of a root-level user named 'newfpbx' with UID 0 via useradd — a strong indicator of EncystPHP post-exploitation persistence
  • Monitor for crontab entries downloading content from 45.234.176.202 and saving to /var/lib/asterisk/bin/ (filenames: zen2, devnull2, devnull) — indicative of EncystPHP persistence stages
  • Detect presence of license.php under /var/www/html/admin/modules/freepbx_ha/ — this is a malicious persistence file deployed by EncystPHP's test.sh stage
  • Detect PHP files containing the string 'Ask Master' in the web root — this is the title of the EncystPHP interactive web shell interface
  • Monitor for timestamp-forging activity on FreePBX web files: 'touch <webshell_path> -r <legitimate_file>' pattern used by EncystPHP to evade detection
  • The Metasploit module path for this exploit is unix/http/freepbx_filestore_cmd_injection — use this to identify exploitation attempts in proxy/WAF logs
  • FreePBX instances can be fingerprinted via Shodan/FOFA using favicon hashes -1908328911 and 1574423538, or page titles 'FreePBX Administration' — use these to identify exposed attack surface
  • ·CVE-2025-64328 is post-authentication — exploitation requires valid FreePBX credentials for a user with access to the filestore module (administrator or low-privilege user in the 'Filestore' group)
  • ·The injected command may execute multiple times due to the vulnerable code structure, potentially resulting in multiple reverse shell sessions
  • ·Affected versions are 17.0.2.36 through 17.0.2.44 (inclusive); the vulnerability was introduced in 17.0.2.36 and patched in 17.0.3
  • ·Commands execute as the 'asterisk' user (web server process privileges), not root — however, EncystPHP subsequently escalates to root via useradd with UID 0

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.