CVE-2025-59429 – This CVE describes a reflected cross-site scrip... (How to Fix)

Q: What is the severity of CVE-2025-59429?

CVE-2025-59429 has a CVSS score of 5.4 (MEDIUM). This CVE describes a reflected cross-site scripting (XSS) vulnerability in FreePBX, an open-source GUI for managing Asterisk. It allows unauthenticated attackers to steal admin session cookies via the Asterisk HTTP Status page, potentially leading to full control of the FreePBX admin interface. Affected systems include FreePBX versions prior to 16.0.68.39 for FreePBX 16 and prior to 17.0.18.38 for FreePBX 17.

📋 TL;DR

This CVE describes a reflected cross-site scripting (XSS) vulnerability in FreePBX, an open-source GUI for managing Asterisk. It allows unauthenticated attackers to steal admin session cookies via the Asterisk HTTP Status page, potentially leading to full control of the FreePBX admin interface. Affected systems include FreePBX versions prior to 16.0.68.39 for FreePBX 16 and prior to 17.0.18.38 for FreePBX 17.

💻 Affected Systems

Products:

FreePBX

Versions: FreePBX 16 versions prior to 16.0.68.39, FreePBX 17 versions prior to 17.0.18.38

Operating Systems: Linux-based systems where FreePBX is installed

Default Config Vulnerable: ⚠️ Yes

Notes: FreePBX 16 exposes the vulnerable page on any bound IP at port 8088 by default, while FreePBX 17 binds only to localhost by default, reducing exposure.

📦 What is this software?

Freepbx by Sangoma

View all CVEs affecting Freepbx →

Freepbx by Sangoma

View all CVEs affecting Freepbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain admin access, enabling them to steal sensitive data, modify configurations, create backdoor accounts, and disrupt services.

🟠

Likely Case

Session hijacking of admin users, leading to unauthorized access and potential data exposure.

🟢

If Mitigated

Limited impact if patched or if the service is not exposed to untrusted networks.

🌐 Internet-Facing: HIGH for FreePBX 16 (default binding to any IP on port 8088), MEDIUM for FreePBX 17 (default binding to localhost only, but risk if misconfigured).

🏢 Internal Only: MEDIUM for FreePBX 16, LOW for FreePBX 17, as internal attackers could exploit it if network access is available.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking a user into clicking a malicious link, but is straightforward due to the reflected XSS nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FreePBX 16: 16.0.68.39, FreePBX 17: 17.0.18.38

Vendor Advisory: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-c8g7-475j-fwcc

Restart Required: No

Instructions:

1. Backup your FreePBX system. 2. Update FreePBX via the GUI or command line: For FreePBX 16, upgrade to version 16.0.68.39 or later. For FreePBX 17, upgrade to version 17.0.18.38 or later. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Restrict Access to Asterisk HTTP Status Page

Linux

Block external access to port 8088 using firewall rules or network segmentation to limit exposure.

sudo iptables -A INPUT -p tcp --dport 8088 -j DROP

🧯 If You Can't Patch

Implement strict firewall rules to block inbound traffic to port 8088 from untrusted networks.
Use web application firewalls (WAFs) to filter and block XSS attempts targeting the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Check if the Asterisk HTTP Status page is accessible at http://<your-ip>:8088 and if the FreePBX version is below the patched versions.

Check Version:

fwconsole ma list | grep -i freepbx

Verify Fix Applied:

After patching, confirm the version is at or above 16.0.68.39 for FreePBX 16 or 17.0.18.38 for FreePBX 17, and test that the XSS payload no longer executes.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to port 8088, especially with suspicious query parameters in HTTP logs.

Network Indicators:

Traffic to port 8088 containing script tags or encoded payloads indicative of XSS attempts.

SIEM Query:

source="*freepbx*" AND (url="*8088*" AND (query="*<script>*" OR query="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-59429

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.16% exploit probability (36.6th percentile)

Published: October 14, 2025

Last Updated: January 20, 2026

🔗 References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-c8g7-475j-fwcc Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59429, you might also want to check these: