FreePBX EPManager 17.0.2.3617.0.3 Filestore Cmd-Inject in check_ssh_connect
CVE-2025-64328 Published on November 7, 2025
FreePBX Administration GUI is Vulnerable to Authenticated Command Injection
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
Known Exploited Vulnerability
This Sangoma FreePBX OS Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user. .
The following remediation steps are recommended / required by February 24, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2025-64328 has been classified to as a Shell injection vulnerability or weakness.
Affected Versions
FreePBX filestore Version >= 17.0.2.36, < 17.0.3 is affected by CVE-2025-64328Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.