CVE-2025-55210
📋 TL;DR
This vulnerability allows authenticated users with REST/GraphQL API access in FreePBX to escalate privileges by forging JWTs using the api-oauth.key private key. Attackers who obtain this key and know an existing JWT ID (jti) can create tokens with arbitrary scopes, bypassing authorization checks. This affects FreePBX installations prior to versions 17.0.5 and 16.0.17.
💻 Affected Systems
- FreePBX
📦 What is this software?
Freepbx by Sangoma
Freepbx by Sangoma
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative access to the FreePBX system, allowing complete control over telephony services, configuration changes, and potential data exfiltration.
Likely Case
Privileged users or attackers with initial access escalate to administrative privileges, enabling unauthorized configuration changes and access to sensitive telephony data.
If Mitigated
With proper network segmentation and access controls, impact is limited to the FreePBX instance itself without lateral movement to other systems.
🎯 Exploit Status
Requires obtaining the api-oauth.key private key and knowing an existing jti value from the database, which typically requires some level of initial access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.5 or 16.0.17
Vendor Advisory: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-gvgh-p7wj-76cf
Restart Required: No
Instructions:
1. Backup your FreePBX configuration. 2. Update FreePBX via the web interface (Admin → Module Admin → Check for Updates) or command line (fwconsole ma upgradeall). 3. Verify version is 17.0.5+ or 16.0.17+.
🔧 Temporary Workarounds
Restrict API Access
allLimit network access to FreePBX API endpoints to trusted IP addresses only.
Configure firewall rules to restrict access to FreePBX web ports (typically 80/443) to authorized networks only.
Rotate API Keys
FreePBXGenerate new api-oauth.key to invalidate potentially compromised tokens.
Navigate to FreePBX Admin → System Admin → API Settings → Generate New Key
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FreePBX from other critical systems
- Enforce least privilege access controls and monitor for unusual API activity
🔍 How to Verify
Check if Vulnerable:
Check FreePBX version via web interface (Admin → System Admin → About) or command line: fwconsole ma list | grep frameworkCheck Version:
fwconsole ma list | grep frameworkVerify Fix Applied:
Confirm version is 17.0.5 or higher (for v17) or 16.0.17 or higher (for v16)📡 Detection & Monitoring
Log Indicators:
- Unusual API access patterns from non-admin users
- Multiple failed JWT validation attempts followed by successful privileged access
Network Indicators:
- Unusual REST/GraphQL API requests with elevated scopes from unexpected sources
SIEM Query:
source="freepbx" AND (event="api_access" AND user_privilege_change="escalation")🔗 References
- https://github.com/FreePBX/api/commit/bc6f7d72063cffb18babb6559fa351046d7ad19b
- https://github.com/FreePBX/api/commit/c16a3a79b83382fb4884e51174882ed635637002
- https://github.com/FreePBX/api/commit/d66786634e7e7d3eedcb4d0931b32c415ba6e9ef
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-gvgh-p7wj-76cf
