Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67736

CVE-2025-67736: Sangoma FreePBX TTS Module SQLi Flaw

CVE-2025-67736 is a SQL injection vulnerability in Sangoma FreePBX TTS module affecting versions before 16.0.5 and 17.0.5. Authenticated admins can exploit this to extract data and escalate to root. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-67736 Overview

CVE-2025-67736 is a SQL injection vulnerability [CWE-89] in the FreePBX Text-to-Speech (TTS) module. FreePBX is an open-source web-based graphical user interface (GUI) that manages the Asterisk telephony platform. Authenticated administrators of the Administrator Control Panel (ACP) can inject SQL through the TTS module in versions prior to 16.0.5 and 17.0.5. Successful exploitation extracts sensitive database content and enables code execution as the asterisk user, with a documented chain to escalate to root. Sangoma has released fixed versions to remediate the issue.

Critical Impact

Authenticated administrators can pivot from SQL injection to full root-level command execution on FreePBX servers, compromising voice infrastructure and call data.

Affected Products

  • Sangoma FreePBX TTS module versions prior to 16.0.5
  • Sangoma FreePBX TTS module versions prior to 17.0.5
  • FreePBX deployments managing Asterisk with the TTS module enabled

Discovery Timeline

  • 2025-12-16 - CVE-2025-67736 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-67736

Vulnerability Analysis

The FreePBX TTS module fails to properly sanitize input supplied through the ACP before incorporating it into SQL statements. An authenticated administrator can manipulate request parameters to break out of the intended query context. The injected SQL executes against the FreePBX database, which stores extension credentials, SIP secrets, voicemail data, and configuration metadata. Beyond data exfiltration, the advisory confirms attackers can leverage the database access to write or modify files processed by the asterisk user. From there, documented privilege escalation paths within FreePBX environments allow elevation to root. The vulnerability requires high privileges (administrator) but no user interaction and is reachable over the network through the ACP web interface.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89] within the TTS module's request handlers. User-controlled input is concatenated into SQL queries rather than passed through parameterized statements or strict input validation.

Attack Vector

An attacker first obtains valid administrator credentials for the ACP, either through credential theft, weak password reuse, or compromise of an existing admin account. The attacker then submits crafted parameters to the TTS module endpoints, embedding SQL payloads that execute within the FreePBX database context. After establishing data exfiltration, the attacker uses gained context to drop or modify files executable by asterisk and then chains a separate FreePBX privilege escalation to reach root.

No verified proof-of-concept code is publicly available. Refer to the GitHub Security Advisory for vendor-supplied technical details.

Detection Methods for CVE-2025-67736

Indicators of Compromise

  • Unexpected entries or modifications in FreePBX MySQL/MariaDB tables associated with the TTS module
  • New or modified files under /var/lib/asterisk/, /var/www/html/admin/, or other asterisk-writable paths
  • Outbound connections from the FreePBX host to unfamiliar destinations following ACP administrator activity
  • ACP access logs showing TTS module requests containing SQL metacharacters such as single quotes, UNION, or SELECT

Detection Strategies

  • Inspect Apache or Nginx access logs for HTTP requests to TTS module endpoints containing SQL syntax tokens
  • Enable MySQL/MariaDB general query logging temporarily to identify malformed or unusual statements originating from the FreePBX application user
  • Correlate administrator login events with subsequent shell or file modification activity attributed to the asterisk user

Monitoring Recommendations

  • Forward FreePBX web server, database, and Asterisk logs to a centralized logging platform for retention and correlation
  • Alert on creation of new ACP administrator accounts and on configuration changes outside maintenance windows
  • Monitor process execution under the asterisk user account for unexpected shells, compilers, or network utilities

How to Mitigate CVE-2025-67736

Immediate Actions Required

  • Upgrade the FreePBX TTS module to version 16.0.5 or 17.0.5 or later
  • Rotate ACP administrator credentials and review the administrator account list for unauthorized additions
  • Restrict access to the ACP interface to trusted management networks via firewall or VPN controls
  • Audit the FreePBX database, Asterisk configuration files, and webroot for signs of tampering

Patch Information

Sangoma released fixed versions 16.0.5 and 17.0.5 of the TTS module. Apply the update through the FreePBX Module Admin interface or via the fwconsole ma upgrade tts command. Review the FreePBX Security Updates Blog and the GitHub Security Advisory for full release details.

Workarounds

  • Disable or uninstall the TTS module on FreePBX servers where the feature is not required until patching is complete
  • Limit ACP access to specific source IP addresses through web server access controls or network ACLs
  • Enforce strong, unique passwords and multi-factor authentication for all FreePBX administrator accounts
bash
# Upgrade the FreePBX TTS module from the command line
fwconsole ma upgrade tts
fwconsole reload

# Verify the installed module version
fwconsole ma list | grep tts

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.