theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2025-64328

CISA KEV

Published February 3, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2025-64328: FreePBX Endpoint Manager OS Command Injection **What it is:** Sangoma FreePBX Endpoint Manager contains an OS command injection flaw in the testconnection → check_ssh_connect() function that allows authenticated users to inject arbitrary system commands. **Impact:** An attacker with valid FreePBX credentials can execute commands as the asterisk user, gaining remote code execution on the PBX system. **What to do:** Immediately inventory FreePBX Endpoint Manager deployments. Apply the latest Sangoma security patch when available. Restrict FreePBX administrative access to trusted personnel only and enforce strong authentication (MFA if supported). Monitor asterisk process execution for suspicious command patterns using your SIEM.

Official Description+

Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.

Affected Products

VendorProduct
SangomaFreePBX

Patch Status

Patch by 2026-02-24

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2025-64328.

Related Coverage

Vvulnerability

CVE-2025-64328: Sangoma FreePBX Endpoint Manager OS Command Injection Enables Remote Code Execution

CVE-2025-64328 is a post-authentication OS command injection vulnerability in Sangoma FreePBX Endpoint Manager, specifically within the testconnection check_ssh_connect() function. Authenticated attackers can execute arbitrary system commands as the asterisk user, gaining remote code execution on the PBX host. CISA has added this flaw to the KEV catalog with a federal patch deadline of February 24, 2026.

CISA KEV·59d ago·3 min read