May I submit that I think some of you guys are being, well, jerks about this?
This is beta code is it not? It is pretty common in software development to develop beta code in an environment where all security is turned off - essentially running as root. That way your developers are actually focused on fixing REAL code issues not chasing down a rabbithole that’s caused by someone forgetting to chmod a+RW a scratchpad directory or some such.
Get the code working first, then secure it is common operating procedure among devs. It’s better to have a full-time security officer who’s JOB is breaking into stuff, audit the code after the fact with proper tools. Yes yes I know we would all be in Eden if all programmers who wrote code were security experts and didn’t use APIs without boundary checking on user interface input and suchlike, but we aren’t.
I’d also point out that having the FreePBX configuration interface accessible to 0.0.0.0/0 on your internal LAN is flipping insecure and stupid anyway. That should be locked down to only the IP addresses used by your IT group at the very least. Even Cisco got nailed by that vulnerability with their older UCM/callmanager interface which has unfixed vulnerabilities in it.