CVE-2025-59429

Name of the Vulnerable Software and Affected Versions FreePBX versions prior to 16.0.68.39 FreePBX versions prior to 17.0.18.38

Description FreePBX, an open source GUI for managing Asterisk, contains a reflected cross-site scripting issue on the Asterisk HTTP Status page. The page is exposed by FreePBX and is accessible on version 16 via any bound IP address at port 8088, while on version 17, it is bound to localhost by default. Unauthenticated attackers can obtain cookies from logged-in users, potentially allowing them to hijack an administrative user's session. Successful exploitation could grant attackers control over the FreePBX admin interface, enabling access to sensitive data, modification of system configurations, creation of backdoor accounts, and service disruption. The Asterisk HTTP Status page is a component used for monitoring the status of the Asterisk application.

Recommendations Update to FreePBX version 16.0.68.39 or later. Update to FreePBX version 17.0.18.38 or later.