CVE-2025-64328 - Sangoma FreePBX OS Command Injection Vulnerability
Project:Sangoma
Product:FreePBX
Date Added:2026-02-03Due Date:2026-02-24
Vulnerability Name
Sangoma FreePBX OS Command Injection Vulnerability
Description
Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw
https://nvd.nist.gov/vuln/detail/CVE-2025-64328
Related News Articles
900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell AttacksFebruary 28, 2026
CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV CatalogFebruary 4, 2026