CVE-2025-64328

HIGH KEV NUCLEI

FreePBX 17.0.2.36-17.0.3 - Authenticated OS Command Injection via SSH Connection Test

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-64328 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 3, 2026. EIP tracks 2 public exploits from researchers including mcorybillington, Cory Billington, including a Metasploit module exploits/unix/http/freepbx_filestore_cmd_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2025-64328, demonstrating an authenticated command injection vulnerability in the FreePBX framework module. The exploit uses a crafted curl request to inject commands via the 'key' parameter, resulting in arbitrary file creation on the target system.

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

Exploits (2)

nomisec WORKING POC
by mcorybillington · poc
https://github.com/mcorybillington/CVE-2025-64328_FreePBX-framework-Command-Injection

This repository contains a proof-of-concept for CVE-2025-64328, demonstrating an authenticated command injection vulnerability in the FreePBX framework module. The exploit uses a crafted curl request to inject commands via the 'key' parameter, resulting in arbitrary file creation on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FreePBX framework module
Auth required
Prerequisites: Valid low-privilege user credentials · Access to the FreePBX admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Cory Billington · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/freepbx_filestore_cmd_injection.rb

This Metasploit module exploits an authenticated command injection vulnerability (CVE-2025-64328) in FreePBX's filestore module. It leverages unsanitized input in the SSH key path parameter to execute arbitrary commands via shell substitution syntax.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreePBX filestore module versions 17.0.2.36 through 17.0.2.44
Auth required
Prerequisites: Valid FreePBX credentials · User must be in the 'Filestore' group
devstral-2 · analyzed Mar 13, 2026 Full analysis →

Nuclei Templates (1)

FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection
CRITICALby _th3y
Shodan: http.title:"freepbx" || http.favicon.hash:"-1908328911" || http.favicon.hash:"1574423538" || http.title:"freepbx administration"
FOFA: icon_hash="-1908328911" || icon_hash="1574423538" || title="freepbx administration" || title="freepbx"

References (5)

Core 5

Scores

CVSS v3 7.2
EPSS 0.7776
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-02-03
VulnCheck KEV 2026-01-28
ENISA EUVD EUVD-2025-38232
CWE
CWE-78
Status published
Products (2)
sangoma/firestore 17.0.2.36 - 17.0.3
sangoma/freepbx 17.0.2.36 - 17.0.3
Published Nov 07, 2025
KEV Added Feb 03, 2026
Tracked Since Feb 18, 2026