Cyber Resilience

CVE-2025-64328

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 07 November 2025

Published
07 November 2025
Modified
24 February 2026
KEV Added
03 February 2026
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7596 98.9th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64328 is a high-severity OS Command Injection (CWE-78) vulnerability in Sangoma Firestore. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-64328 is a post-authentication command injection vulnerability (CWE-78) affecting the filestore module within the Administrative interface of FreePBX Endpoint Manager, a module for managing telephony endpoints in FreePBX systems. The flaw exists in versions 17.0.2.36 and above prior to 17.0.3, specifically in the testconnection -> check_ssh_connect() function.

An authenticated user with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to execute arbitrary commands, obtaining remote access to the system as the asterisk user and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.2.

The vulnerability is addressed in FreePBX Endpoint Manager version 17.0.3. Security advisories from FreePBX and GitHub's security-reporting repository provide details on the issue, including code references, and recommend upgrading to the fixed version for mitigation.

This CVE appears in the CISA Known Exploited Vulnerabilities Catalog, suggesting active real-world exploitation. Additional references include FreePBX documentation on security fixes and Fortinet threat research on a weaponized web shell.

EU & UK References

Vulnerability details

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via…

more

the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

CWE(s)
KEV Date Added
03 February 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Post-authentication command injection enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004) as the asterisk user.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28287Same vendor: Sangoma
CVE-2026-28209Same vendor: Sangoma
CVE-2024-58294Same vendor: Sangoma
CVE-2024-40891Shared CWE-78both on KEV
CVE-2025-57819Same vendor: Sangomaboth on KEV
CVE-2024-40890Shared CWE-78both on KEV
CVE-2025-58034Shared CWE-78both on KEV
CVE-2025-9377Shared CWE-78both on KEV
CVE-2025-1316Shared CWE-78both on KEV
CVE-2025-56084Shared CWE-78

Affected Assets

sangoma
firestore
17.0.2.36 — 17.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection vulnerability by identifying, prioritizing, and applying the vendor-released patch to FreePBX Endpoint Manager version 17.0.3.

prevent

Prevents exploitation of the command injection in check_ssh_connect() by validating and sanitizing untrusted inputs passed to system commands.

prevent

Reduces impact of successful command injection by enforcing least privilege on the asterisk user, limiting privileges available for arbitrary command execution.

References