CVE-2025-55210

Name of the Vulnerable Software and Affected Versions FreePBX versions prior to 17.0.5 and prior to 16.0.17

Description FreePBX, a web-based GUI for managing Asterisk, has an issue where authenticated users with access to the REST/GraphQL API can potentially elevate their privileges. An attacker can forge a valid JSON Web Token (JWT) to gain full access to the REST and GraphQL APIs. The JWT is signed using the api-oauth.key private key. If an attacker obtains this key, they can create their own token, specifying any desired scopes (e.g., 'rest', 'gql'), bypassing standard authorization checks. However, FreePBX requires the 'jti' (JWT ID) claim to exist in the api access tokens table within the Asterisk MySQL database for the token to be accepted. Therefore, the attacker needs to know a valid 'jti' value already present on the target system. The vulnerable component is the PBX API module.

Recommendations FreePBX versions prior to 17.0.5 should be updated to version 17.0.5 or later. FreePBX versions prior to 16.0.17 should be updated to version 16.0.17 or later.