If we take the article content at face value (that they are exploiting a vulnerability as opposed to brute forcing a password on a poorly secured system) they probably refer to this vulnerability:
https://wiki.freepbx.org/display/FOP/2016-08-09+CVE+Remote+Command+Execution+with+Privileged+Escalation
That is the most recent exploit but there was also one from 2014 in the long deprecated Asterisk Recordings Interface (ARI). I’m speculating of course, because the authors have chosen not to share even the SLIGHTEST useful detail, only that it dates from 2018 and there was a fix at that time. Note the date in the wiki page, it is more than 3 years old.
As an aside, the authors don’t seem to be overly knowledgeable about PBX exploits specifically, in that they seem more concerned about ‘espionage’, leaking CDR records, generating outbound calls with spoofed CID, or listening to call recordings. While I suppose some organizations might be targeted for those types of activities, what we see in practice is ALWAYS traffic pumping, generating outbound calls to high cost destinations