FreePBX up to 15.0.12/16.0.14/17.0.2 OAuth hard-coded credentials

Summaryinfo

A vulnerability identified as critical has been detected in FreePBX up to 15.0.12/16.0.14/17.0.2. This affects an unknown part of the component OAuth. The manipulation leads to hard-coded credentials. This vulnerability is traded as CVE-2025-55739. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in FreePBX up to 15.0.12/16.0.14/17.0.2 and classified as critical. This issue affects some unknown functionality of the component OAuth. The manipulation with an unknown input leads to a hard-coded credentials vulnerability. Using CWE to declare the problem leads to CWE-798. The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-55739 since 08/15/2025. The exploitation is known to be easy. The attack may be initiated remotely. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1110.001 for this issue.

Upgrading to version 15.0.13, 16.0.15 or 17.0.3 eliminates this vulnerability. Applying the patch 305295aad38322c74cffd75bf550707dfb1a64a2 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• FreePBX

Version

• 15.0.0
• 15.0.1
• 15.0.2
• 15.0.3
• 15.0.4
• 15.0.5
• 15.0.6
• 15.0.7
• 15.0.8
• 15.0.9
• 15.0.10
• 15.0.11
• 15.0.12
• 16.0.0
• 16.0.1
• 16.0.2
• 16.0.3
• 16.0.4
• 16.0.5
• 16.0.6
• 16.0.7
• 16.0.8
• 16.0.9
• 16.0.10
• 16.0.11
• 16.0.12
• 16.0.13
• 16.0.14
• 17.0.0
• 17.0.1
• 17.0.2

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion