CVE-2025-67736 Overview
CVE-2025-67736 is a SQL injection vulnerability [CWE-89] in the FreePBX Text-to-Speech (TTS) module. FreePBX is an open-source web-based graphical user interface (GUI) that manages the Asterisk telephony platform. Authenticated administrators of the Administrator Control Panel (ACP) can inject SQL through the TTS module in versions prior to 16.0.5 and 17.0.5. Successful exploitation extracts sensitive database content and enables code execution as the asterisk user, with a documented chain to escalate to root. Sangoma has released fixed versions to remediate the issue.
Critical Impact
Authenticated administrators can pivot from SQL injection to full root-level command execution on FreePBX servers, compromising voice infrastructure and call data.
Affected Products
- Sangoma FreePBX TTS module versions prior to 16.0.5
- Sangoma FreePBX TTS module versions prior to 17.0.5
- FreePBX deployments managing Asterisk with the TTS module enabled
Discovery Timeline
- 2025-12-16 - CVE-2025-67736 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-67736
Vulnerability Analysis
The FreePBX TTS module fails to properly sanitize input supplied through the ACP before incorporating it into SQL statements. An authenticated administrator can manipulate request parameters to break out of the intended query context. The injected SQL executes against the FreePBX database, which stores extension credentials, SIP secrets, voicemail data, and configuration metadata. Beyond data exfiltration, the advisory confirms attackers can leverage the database access to write or modify files processed by the asterisk user. From there, documented privilege escalation paths within FreePBX environments allow elevation to root. The vulnerability requires high privileges (administrator) but no user interaction and is reachable over the network through the ACP web interface.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89] within the TTS module's request handlers. User-controlled input is concatenated into SQL queries rather than passed through parameterized statements or strict input validation.
Attack Vector
An attacker first obtains valid administrator credentials for the ACP, either through credential theft, weak password reuse, or compromise of an existing admin account. The attacker then submits crafted parameters to the TTS module endpoints, embedding SQL payloads that execute within the FreePBX database context. After establishing data exfiltration, the attacker uses gained context to drop or modify files executable by asterisk and then chains a separate FreePBX privilege escalation to reach root.
No verified proof-of-concept code is publicly available. Refer to the GitHub Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2025-67736
Indicators of Compromise
- Unexpected entries or modifications in FreePBX MySQL/MariaDB tables associated with the TTS module
- New or modified files under /var/lib/asterisk/, /var/www/html/admin/, or other asterisk-writable paths
- Outbound connections from the FreePBX host to unfamiliar destinations following ACP administrator activity
- ACP access logs showing TTS module requests containing SQL metacharacters such as single quotes, UNION, or SELECT
Detection Strategies
- Inspect Apache or Nginx access logs for HTTP requests to TTS module endpoints containing SQL syntax tokens
- Enable MySQL/MariaDB general query logging temporarily to identify malformed or unusual statements originating from the FreePBX application user
- Correlate administrator login events with subsequent shell or file modification activity attributed to the asterisk user
Monitoring Recommendations
- Forward FreePBX web server, database, and Asterisk logs to a centralized logging platform for retention and correlation
- Alert on creation of new ACP administrator accounts and on configuration changes outside maintenance windows
- Monitor process execution under the asterisk user account for unexpected shells, compilers, or network utilities
How to Mitigate CVE-2025-67736
Immediate Actions Required
- Upgrade the FreePBX TTS module to version 16.0.5 or 17.0.5 or later
- Rotate ACP administrator credentials and review the administrator account list for unauthorized additions
- Restrict access to the ACP interface to trusted management networks via firewall or VPN controls
- Audit the FreePBX database, Asterisk configuration files, and webroot for signs of tampering
Patch Information
Sangoma released fixed versions 16.0.5 and 17.0.5 of the TTS module. Apply the update through the FreePBX Module Admin interface or via the fwconsole ma upgrade tts command. Review the FreePBX Security Updates Blog and the GitHub Security Advisory for full release details.
Workarounds
- Disable or uninstall the TTS module on FreePBX servers where the feature is not required until patching is complete
- Limit ACP access to specific source IP addresses through web server access controls or network ACLs
- Enforce strong, unique passwords and multi-factor authentication for all FreePBX administrator accounts
# Upgrade the FreePBX TTS module from the command line
fwconsole ma upgrade tts
fwconsole reload
# Verify the installed module version
fwconsole ma list | grep tts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

