CVE-2025-67722
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67722
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sangoma freepbx From 16.0 (inc) to 16.0.45 (exc)
sangoma freepbx From 17.0 (inc) to 17.0.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67722 is an authenticated local privilege escalation vulnerability in the deprecated FreePBX startup script called 'amportal'. The script looks for a file named 'freepbx_engine' in the /etc/asterisk/ directory, which is typically writable by the 'asterisk' user and members of the 'asterisk' group. A user with membership in the 'asterisk' group can place a malicious 'freepbx_engine' file in this directory. When 'amportal' executes, it runs this file with root privileges, allowing the user to escalate their privileges to root despite not having root access initially. This vulnerability affects FreePBX versions prior to 16.0.45 and 17.0.24, which contain fixes for the issue. Mitigations include restricting membership of the 'asterisk' group to trusted users, checking for suspicious files in /etc/asterisk/, ensuring 'live_dangerously = no' is set in /etc/asterisk/asterisk.conf, and removing unsafe custom dial plan functions that manipulate the filesystem. [1]

Impact Analysis

This vulnerability can allow a local user who is a member of the 'asterisk' group to escalate their privileges to root by placing a malicious 'freepbx_engine' file in the /etc/asterisk/ directory. This means an attacker with local access and group membership can gain full control over the system, compromising confidentiality, integrity, and availability of the affected system. It can lead to unauthorized root-level access, potentially allowing the attacker to execute arbitrary commands, modify system files, and disrupt services. [1]

Detection Guidance

You can detect this vulnerability by checking for suspicious files named 'freepbx_engine' in the /etc/asterisk/ directory, as any member of the 'asterisk' group could have placed a malicious file there. Use commands like 'ls -l /etc/asterisk/freepbx_engine' to check for the presence and ownership of this file. Additionally, verify the membership of users in the 'asterisk' group with 'getent group asterisk' or 'grep asterisk /etc/group'. Also, check that the setting 'live_dangerously = no' is set or unset (default is no) in /etc/asterisk/asterisk.conf by running 'grep live_dangerously /etc/asterisk/asterisk.conf'. Finally, review any custom dial plan applications or functions that manipulate the filesystem, such as System() or FILE(), to ensure they are not unsafe. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Ensure only trusted local OS users are members of the 'asterisk' group to limit who can write to /etc/asterisk/. 2) Remove or audit any suspicious 'freepbx_engine' files in /etc/asterisk/. 3) Confirm that 'live_dangerously = no' is set or unset (default is no) in /etc/asterisk/asterisk.conf. 4) Eliminate any unsafe custom use of Asterisk dial plan applications and functions that can manipulate the filesystem, such as System() and FILE(). 5) Upgrade FreePBX to version 16.0.45 or 17.0.24 or later, where the vulnerability is fixed. [1]

Compliance Impact

This vulnerability allows an authenticated local user with membership in the asterisk group to escalate privileges to root by placing a malicious file in a writable directory. Successful exploitation can compromise the confidentiality, integrity, and availability of the system. Such a compromise could lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate protection of sensitive data and system integrity. Therefore, this vulnerability poses a risk to compliance with these regulations if exploited. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart