But maybe someone will come with solution or some workaround faster, or will be warn and disable feature codes or misc destination.
Situation is similar as in bug https://issues.freepbx.org/browse /FREEPBX-12058 but requires using misc destination.
Generally if someone (attacker) establish connection from cellphone and will be routed through misc destination , and someone (person or queue etc.) will answer that call, then attacker can use feature code *2 or ## to redirect that call to some high paid numbers through PBX. Answer the call is required to successfully redirect call through PBX
This situation can be dangerous in multiple scenarios like IVR and one of destination is emergency contact to someone on duty via misc. destination on cellphone.
Or more dangerous situation IVR and one of destinations direct to queue on different PBX via misc destination, that queue automatically answer call and attacker can redirect calls through our PBX.
This has nothing to do with Misc Destinations, you have configured your trunks with dial options that include Tt which allow both the called and the calling party to transfer calls. As this is a common user misconfiguration, there are dialplan blocks in place to prevent malicious transfers, which you see with the ticket you linked, this was resolved about 18 months ago.
On current systems, this shouldn’t be possible, which is why I have requested you add a full call trace to your ticket.
So it is misconfiguration why freepbx put option Tt as default in trunk configuration ? And this occure only when call are transfered thrue misc destination. Any other situation are not affected, like normal call, fallow me etc.
In my opinion when I use misc destination PBX create new connection like from internall connection (where feature codes works) and passthrue featurecodes from external connection to that internall connection, and execute as internal connection.