CVE-2025-55210 Overview
CVE-2025-55210 is a privilege escalation vulnerability affecting the FreePBX API module (PBX API) in versions prior to 17.0.5 and 16.0.17. FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk, a widely deployed open-source PBX platform. This vulnerability allows authenticated users with REST/GraphQL API access to forge valid JWT tokens with elevated privileges, potentially bypassing traditional authorization checks.
The vulnerability exists in how FreePBX handles JWT token validation. An attacker who has gained access to an affected FreePBX instance can obtain the api-oauth.key private key used for signing JWT tokens. With this key, attackers can generate their own tokens specifying arbitrary scopes (such as rest or gql), effectively escalating their privileges beyond what was originally granted.
Critical Impact
Authenticated users with limited API access can forge JWT tokens to gain full REST and GraphQL API access, potentially allowing unauthorized configuration changes to the PBX system.
Affected Products
- FreePBX PBX API module versions prior to 17.0.5
- FreePBX PBX API module versions prior to 16.0.17
- FreePBX installations using REST/GraphQL API functionality
Discovery Timeline
- February 12, 2026 - CVE-2025-55210 published to NVD
- February 12, 2026 - Last updated in NVD database
Technical Details for CVE-2025-55210
Vulnerability Analysis
This privilege escalation vulnerability (CWE-270: Privilege Context Switching Error) stems from insufficient protection of the JWT signing key combined with inadequate scope validation in the GraphQL API. The attack requires network access and an existing authenticated session with at least minimal API privileges.
The exploitation scenario involves multiple steps: First, an attacker must obtain the api-oauth.key private key from an affected FreePBX instance they have already connected to, potentially as a low-privileged user. Once in possession of this key, they can craft custom JWT tokens with any desired scopes, such as rest and gql, effectively bypassing the authorization model.
A partial mitigation exists in that FreePBX requires the jti (JWT ID) claim to exist in the api_access_tokens table within the asterisk MySQL database. This means attackers must know an existing jti value on the target system, adding complexity to exploitation.
Root Cause
The root cause of CVE-2025-55210 is the Privilege Context Switching Error (CWE-270) where the JWT signing key (api-oauth.key) is accessible to authenticated users, and the GraphQL API lacks proper scope validation. This allows authenticated users to craft tokens with elevated privileges that the system accepts as valid, provided they supply a known jti value.
Attack Vector
The attack vector is network-based, requiring authenticated access to a FreePBX system. The attacker leverages their existing access to extract the private signing key, then generates a forged JWT with elevated scopes. The forged token must include a valid jti claim that exists in the database, which the attacker may obtain through their legitimate (though limited) access to the system.
The security patches introduced proper OAuth2 scope validation for the GraphQL API:
include __DIR__."/vendor/autoload.php";
use FreePBX\modules\Gqlapi\includes\Graphqlapi;
+use Slim\App;
+use League\OAuth2\Server\AuthorizationServer;
+use FreePBX\modules\Gqlapi\Oauth;
class Gqlapi implements \BMO {
private $classes = [];
Source: GitHub Commit bc6f7d7
The fix implements proper OAuth2 server integration with scope validation through the League\OAuth2\Server\AuthorizationServer component.
Detection Methods for CVE-2025-55210
Indicators of Compromise
- Unusual JWT token generation or validation attempts in FreePBX API logs
- Access attempts to the api-oauth.key file from unexpected processes or users
- Database queries against the api_access_tokens table from non-standard sources
- API requests with elevated scopes (rest, gql) from previously low-privileged users
Detection Strategies
- Monitor authentication logs for users accessing API endpoints beyond their normal scope
- Implement file integrity monitoring on the api-oauth.key private key file
- Review MySQL audit logs for suspicious queries against the api_access_tokens table
- Analyze JWT tokens in API requests for anomalous scope claims relative to user permissions
Monitoring Recommendations
- Enable detailed logging for all REST and GraphQL API authentication events
- Set up alerts for any access to cryptographic key files within the FreePBX installation
- Monitor for unusual patterns in API usage, particularly privilege escalation attempts
- Implement network monitoring to detect unauthorized API access from unexpected sources
How to Mitigate CVE-2025-55210
Immediate Actions Required
- Upgrade FreePBX API module to version 17.0.5 or 16.0.17 immediately
- Review API access tokens currently issued and revoke any suspicious or unnecessary tokens
- Audit user permissions for REST/GraphQL API access and apply least-privilege principles
- Rotate the api-oauth.key if compromise is suspected
Patch Information
FreePBX has released patched versions that address this vulnerability by implementing proper OAuth2 scope validation for the GraphQL API. The fixes are available in:
- Version 17.0.5 for the 17.x branch (GitHub Commit d66786634e)
- Version 16.0.17 for the 16.x branch (GitHub Commit bc6f7d72063)
For detailed information, refer to the GitHub Security Advisory GHSA-gvgh-p7wj-76cf.
Workarounds
- Restrict API access to only essential users and services until patching is complete
- Implement network segmentation to limit access to FreePBX API endpoints
- Consider temporarily disabling REST/GraphQL API functionality if not critically needed
- Enforce strict file permissions on the api-oauth.key to limit read access
# Restrict permissions on the OAuth key file
chmod 600 /path/to/api-oauth.key
chown asterisk:asterisk /path/to/api-oauth.key
# Verify current API module version
fwconsole ma list | grep api
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
