module
FreePBX filestore authenticated command injection
| Disclosed | Created |
|---|---|
| Nov 8, 2025 | Mar 13, 2026 |
Disclosed
Nov 8, 2025
Created
Mar 13, 2026
Description
This module exploits an authenticated command injection vulnerability (CVE-2025-64328) in the
FreePBX filestore module. The filestore module allows administrators to configure remote file
storage backends (SSH, FTP, etc.) for backup and file management purposes.
The vulnerability exists in the SSH driver's testconnection functionality, specifically in the
check_ssh_connect() function located at /admin/modules/filestore/drivers/SSH/testconnection.php.
The function accepts user-controlled input for the SSH key path parameter, which is then passed
unsanitized to exec() calls when generating SSH keys.
The vulnerable code executes commands such as:
exec("ssh-keygen -t ecdsa -b 521 -f $key -N \"\" && chown asterisk:asterisk $key && chmod 600 $key");
By injecting shell command substitution syntax (e.g., $(command)) into the key parameter, an
authenticated user can execute arbitrary commands on the underlying system with the privileges of
the web server process (typically the asterisk user).
This vulnerability affects filestore module versions 17.0.2.36 through 17.0.2.44 (introduced in
17.0.2.36, patched in 17.0.3). The module requires valid FreePBX credentials for a user account that
has access to the filestore module. The user must be in the "Filestore" group (administrator or
low-privilege user).
Note: Due to the vulnerable code structure, the injected command may be executed multiple times,
potentially resulting in multiple Meterpreter sessions.
FreePBX filestore module. The filestore module allows administrators to configure remote file
storage backends (SSH, FTP, etc.) for backup and file management purposes.
The vulnerability exists in the SSH driver's testconnection functionality, specifically in the
check_ssh_connect() function located at /admin/modules/filestore/drivers/SSH/testconnection.php.
The function accepts user-controlled input for the SSH key path parameter, which is then passed
unsanitized to exec() calls when generating SSH keys.
The vulnerable code executes commands such as:
exec("ssh-keygen -t ecdsa -b 521 -f $key -N \"\" && chown asterisk:asterisk $key && chmod 600 $key");
By injecting shell command substitution syntax (e.g., $(command)) into the key parameter, an
authenticated user can execute arbitrary commands on the underlying system with the privileges of
the web server process (typically the asterisk user).
This vulnerability affects filestore module versions 17.0.2.36 through 17.0.2.44 (introduced in
17.0.2.36, patched in 17.0.3). The module requires valid FreePBX credentials for a user account that
has access to the filestore module. The user must be in the "Filestore" group (administrator or
low-privilege user).
Note: Due to the vulnerable code structure, the injected command may be executed multiple times,
potentially resulting in multiple Meterpreter sessions.
Authors
Cory Billington
Valentin Lobstein [email protected]
Valentin Lobstein [email protected]
Platform
Linux,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.