CVE-2025-55210
Privilege Escalation in FreePBX API via Forged JWT Tokens
Publication date: 2026-02-12
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangoma | freepbx | From 16.0.2 (inc) to 16.0.17 (exc) |
| sangoma | freepbx | From 17.0.1 (inc) to 17.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-270 | The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55210 is a privilege escalation vulnerability in the FreePBX api module (PBX API) affecting versions prior to 16.0.17 for FreePBX 16 and prior to 17.0.5 for FreePBX 17. Authenticated users with REST/GraphQL API access can exploit this flaw to forge a valid JSON Web Token (JWT) with full API access, even if they originally have lower privileges.
The vulnerability arises because the JWTs are signed using a private key (api-oauth.key). If an attacker obtains this key or accesses a valid JWT ID (jti) from the target system, they can create forged tokens with arbitrary scopes, bypassing normal authorization checks and gaining elevated privileges.
However, the forged token must include a jti claim that exists in the api_access_tokens database table. Knowing any valid jti allows the attacker to generate tokens with any desired scopes, such as rest or gql, granting full API access.
This vulnerability has existed for about seven years and is fixed in FreePBX versions 16.0.17 and 17.0.5 by adding GraphQL scope validation and improving token security.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with limited privileges to escalate their access to full control over the FreePBX REST and GraphQL APIs.
- An attacker can forge JWTs with arbitrary scopes, bypassing authorization checks.
- Full unauthorized access to the PBX API can lead to manipulation or disruption of telephony services managed by FreePBX.
- Attackers could potentially access sensitive configuration or call data, depending on API capabilities.
- The attack requires knowledge of a valid JWT ID (jti) and possession or compromise of the private signing key, making exploitation complex but impactful.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying whether your FreePBX instance is running a vulnerable version of the api module (prior to 16.0.17 for FreePBX 16 or prior to 17.0.5 for FreePBX 17) and checking for signs of forged JWT tokens or unauthorized API access.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves forged JWT tokens signed with the api-oauth.key private key and requires knowledge of valid jti values from the api_access_tokens table in the asterisk MySQL database, detection can include:'}, {'type': 'list_item', 'content': 'Reviewing API access logs for unusual or unexpected JWT tokens or scopes.'}, {'type': 'list_item', 'content': 'Querying the asterisk MySQL database to inspect the api_access_tokens table for suspicious or unexpected jti entries.'}, {'type': 'list_item', 'content': 'Checking the FreePBX api module version to confirm if it is older than the fixed versions.'}, {'type': 'paragraph', 'content': 'Example commands that may help in detection include:'}, {'type': 'list_item', 'content': 'Check FreePBX api module version (adjust path as needed):\n`fwconsole ma list | grep api`'}, {'type': 'list_item', 'content': 'Query the MySQL database for api_access_tokens entries:\n`mysql -u asterisk -p -e "SELECT * FROM api_access_tokens;" asterisk`'}, {'type': 'list_item', 'content': "Inspect web server or FreePBX logs for suspicious API calls or JWT usage, for example:\n`grep -i 'Authorization: Bearer' /var/log/asterisk/freepbx.log`"}, {'type': 'paragraph', 'content': 'Note that detection of forged tokens specifically may require custom log analysis or monitoring for unusual token scopes or usage patterns.'}] [4]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to update the FreePBX api module to a fixed version that addresses this vulnerability.
- For FreePBX 16, update the api module to version 16.0.17 or later.
- For FreePBX 17, update the api module to version 17.0.5 or later.
These updates introduce GraphQL scope validation and improved token validation mechanisms that prevent forged JWT tokens from bypassing authorization checks.
Additional immediate steps include:
- Restrict access to the api-oauth.key private key to prevent attackers from obtaining it.
- Monitor and audit the api_access_tokens table and API usage logs for suspicious activity.
- Consider rotating or invalidating existing tokens if possible to reduce risk from compromised jti values.