PT-2025-36101 · Asterisk+1 · Asterisk+1
J0Eblow
·
Published
2025-09-04
·
Updated
2025-09-05
·
CVE-2025-55739
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
Name of the Vulnerable Software and Affected Versions
FreePBX versions prior to 15.0.13
FreePBX versions 16.0.2 through 16.0.14
FreePBX versions 17.0.1 and 17.0.2
Description
The
api module for FreePBX, an open-source GUI for Asterisk, is susceptible to an issue where a shared OAuth private key is used across multiple systems installed with the same FreePBX package. An attacker with access to this key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL API Endpoints. Systems with the "api" module enabled, configured, and previously activated by an administrator for remote inbound connections may be affected.Recommendations
Update to FreePBX version 15.0.13 or later.
Update to FreePBX version 16.0.15 or later.
Update to FreePBX version 17.0.3 or later.
Exploit
Fix
Insufficiently Protected Credentials
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Asterisk
Freepbx