Hi i report a bug in freepbx issue tracker as issues.freepbx.org/browse/FREEPBX-16293
But maybe someone will come with solution or some workaround faster, or will be warn and disable feature codes or misc destination.
Situation is similar as in bug https://issues.freepbx.org/browse /FREEPBX-12058 but requires using misc destination.
Generally if someone (attacker) establish connection from cellphone and will be routed through misc destination , and someone (person or queue etc.) will answer that call, then attacker can use feature code *2 or ## to redirect that call to some high paid numbers through PBX. Answer the call is required to successfully redirect call through PBX
This situation can be dangerous in multiple scenarios like IVR and one of destination is emergency contact to someone on duty via misc. destination on cellphone.
Or more dangerous situation IVR and one of destinations direct to queue on different PBX via misc destination, that queue automatically answer call and attacker can redirect calls through our PBX.