CVE-2025-64328

HighCISA KEVActive ExploitationPublic PoCRCE

Published: 07 November 2025

Published

07 November 2025

Modified

24 February 2026

KEV Added

03 February 2026

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8293 99.3th percentile

Risk Priority 84 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64328 is a high-severity OS Command Injection (CWE-78) vulnerability in Sangoma Firestore. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the command injection vulnerability by identifying, prioritizing, and applying the vendor-released patch to FreePBX Endpoint Manager version 17.0.3.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the command injection in check_ssh_connect() by validating and sanitizing untrusted inputs passed to system commands.

AC-6 Least Privilege partial match

prevent

Reduces impact of successful command injection by enforcing least privilege on the asterisk user, limiting privileges available for arbitrary command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Post-authentication command injection enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004) as the asterisk user.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via…

the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

Deeper analysisAI

CVE-2025-64328 is a post-authentication command injection vulnerability (CWE-78) affecting the filestore module within the Administrative interface of FreePBX Endpoint Manager, a module for managing telephony endpoints in FreePBX systems. The flaw exists in versions 17.0.2.36 and above prior to 17.0.3, specifically in the testconnection -> check_ssh_connect() function.

An authenticated user with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to execute arbitrary commands, obtaining remote access to the system as the asterisk user and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.2.

The vulnerability is addressed in FreePBX Endpoint Manager version 17.0.3. Security advisories from FreePBX and GitHub's security-reporting repository provide details on the issue, including code references, and recommend upgrading to the fixed version for mitigation.

This CVE appears in the CISA Known Exploited Vulnerabilities Catalog, suggesting active real-world exploitation. Additional references include FreePBX documentation on security fixes and Fortinet threat research on a weaponized web shell.

Details

CWE(s): CWE-78
KEV Date Added: 03 February 2026

Affected Products

sangoma

firestore

17.0.2.36 — 17.0.3

CVEs Like This One

CVE-2026-28287Same vendor: Sangoma

CVE-2026-28209Same vendor: Sangoma

CVE-2024-58294Same vendor: Sangoma

CVE-2025-57819Same vendor: Sangomaboth on KEV

CVE-2025-1316Shared CWE-78both on KEV

CVE-2025-9377Shared CWE-78both on KEV

CVE-2025-58034Shared CWE-78both on KEV

CVE-2025-56089Shared CWE-78

CVE-2025-11953Shared CWE-78both on KEV

CVE-2026-25108Shared CWE-78both on KEV

References

https://github.com/FreePBX/filestore/blob/f0e3983059271efd80b483ec823310ef19a59013/drivers/SSH/testconnection.php#L2
Product · security-advisories@github.com
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw
Exploit, Vendor Advisory · security-advisories@github.com
https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80
Vendor Advisory · security-advisories@github.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328
Third Party Advisory, US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0