CVE-2025-64328 Sangoma CVE debrief

Who should care

Security and IT teams responsible for Sangoma FreePBX deployments should prioritize this issue, especially administrators, vulnerability management teams, and incident response staff. If FreePBX is used in hosted or cloud environments, service owners should also review CISA’s guidance for cloud services and determine whether mitigations can be applied safely.

Technical summary

The available official sources describe CVE-2025-64328 as an OS command injection vulnerability in Sangoma FreePBX. CISA’s KEV catalog entry confirms known exploitation and assigns a remediation due date of 2026-02-24. No additional technical details, affected versions, or severity score are provided in the supplied corpus.

Defensive priority

Urgent. This is a known-exploited vulnerability in a communications platform, so exposure should be treated as a high-priority remediation item with immediate validation and mitigation planning.

Recommended defensive actions

• Confirm whether any FreePBX instances are in use, including hosted or cloud-managed deployments.
• Apply vendor-recommended mitigations as soon as they are available and validated.
• Track CISA’s KEV due date of 2026-02-24 as the remediation deadline.
• If mitigations are unavailable, discontinue use of the product or remove the exposed service as CISA directs.
• Review logs and security alerts for signs of compromise on affected systems.
• Coordinate with incident response and change management before making production changes.

Evidence notes

CISA’s Known Exploited Vulnerabilities catalog lists CVE-2025-64328 as a Sangoma FreePBX OS command injection vulnerability, with dateAdded 2026-02-03 and dueDate 2026-02-24. The supplied source metadata also points to the official CVE record and NVD detail page, but the corpus does not provide vendor advisory text, affected versions, or CVSS scoring.

Official resources