CVE-2025-67722

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-67722
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p42w-v77m-hfp8 Vendor Advisory
https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
History

18 Dec 2025, 17:45

Type Values Removed Values Added
First Time Sangoma freepbx
Sangoma
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
References () https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p42w-v77m-hfp8 - () https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p42w-v77m-hfp8 - Vendor Advisory
References () https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 - () https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 - Vendor Advisory
CPE cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*

16 Dec 2025, 01:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-12-16 01:15

Updated : 2025-12-18 17:45

NVD link : CVE-2025-67722

Mitre link : CVE-2025-67722

CVE.ORG link : CVE-2025-67722

JSON object : View

Products Affected

sangoma

  • freepbx
CWE
CWE-426

Untrusted Search Path