The FreePBX default feature code for the Asterisk Built-in Attended Transfer feature is *2. The default Asterisk Dial Options configured under Advanced Settings include Tt, which allows the calling and the called party to transfer calls.
If these defaults are not changed by the administrator, then they can be easilty exploited by external callers into the system.
The following describes the scenario where these defaults can be exploited:
From the perspective of the user answering the initial call (extension, operator, etc.), the user will hear the phone ring, answer it, and almost immediately hear music on hold, so they hang up.
The version of FreePBX installed and used on the UCx platform prior to April 20, 2016 does have this security vulnerability. Perform a Software Update on your UCx system to pick up the fix for this issue implemented in the following versions of FreePBX:
With this fix, the transfer feature *2 is disallowed for external inbound callers.
If you want to re-enable this capability, there is a new setting called Disallow Transfers for Inbound Callers under the Advanced Settings page. The default value for this setting is True.
You can choose to workaround this security issue by changing default feature code for Asterisk Built-in Attended Transfer from the default *2 to something else. The external caller will not know to invoke the transfer feature and therefore unable to use it to make calls.