CVE-2025-61675
published 2025-10-14CVE-2025-61675: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to…
PriorityP277high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
38.96%
98.4th percentile
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freepbx | endpoint | < 16.0.92 | 16.0.92 |
| freepbx | endpoint | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/admin/config.php?view=basefile
url/admin/config.php?view=firmware
url/admin/config.php?view=customExt
url/admin/config.php?view=basestation
path/admin/config.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basefile"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:model|brand|id|template|OID)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066761; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|firmware"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)brand\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066760; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|customExt"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)id\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066762; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basestation"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:name|brand|template|ac)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066759; rev:1;)
- →Monitor POST requests to /admin/config.php with view=basestation containing SQLi characters (' " ; - \ * /) in the name, brand, template, or ac parameters (sid:2066759)
- →Monitor POST requests to /admin/config.php with view=firmware containing SQLi characters in the brand parameter (sid:2066760)
- →Monitor POST requests to /admin/config.php with view=basefile containing SQLi characters in model, brand, id, template, or OID parameters (sid:2066761)
- →Monitor POST requests to /admin/config.php with view=customExt containing SQLi characters in the id parameter (sid:2066762)
- →CVE-2025-61675 can be chained with CVE-2025-66039 (auth bypass via Webserver Authorization Mode) to achieve unauthenticated SQL injection; look for exploitation attempts without valid session credentials ↗
- →Watch for new administrative user creation via SQL injection in the custom extension component, a post-exploitation indicator of the gather module ↗
- →Monitor the cron_jobs database table for unexpected new entries, which may indicate RCE via SQL injection payload ↗
- ·Authentication is required to exploit CVE-2025-61675 in isolation; however, chaining with CVE-2025-66039 (auth bypass) removes this requirement when Webserver Authorization Mode is enabled ↗
- ·The auth bypass (CVE-2025-66039) only applies when the admin has enabled Webserver Authorization Mode; deployments not using this mode are not exposed to the unauthenticated attack chain ↗
- ·Snort rules reference TLSDecrypt metadata, meaning traffic inspection requires TLS decryption to be effective for HTTPS-protected FreePBX deployments
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basefile"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:model|brand|id|template|OID)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066761; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve CVE_2
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|firmware"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)brand\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066760; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve CVE_2025_61675, deploymen
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|customExt"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)id\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066762; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve CVE_2025_61675, deploymen
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basestation"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:name|brand|template|ac)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066759; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve C
Metasploit
FreePBX endpoint SQLi to RCE
metasploit·CVSS 8.6
CVE-2025-66039 [HIGH] FreePBX endpoint SQLi to RCE
FreePBX endpoint SQLi to RCE
FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack and gains remote code execution by injecting an SQL record into th cron_jobs table. The c
Metasploit
FreePBX Custom Extension SQL Injection
metasploit·CVSS 8.6
CVE-2025-66039 [HIGH] FreePBX Custom Extension SQL Injection
FreePBX Custom Extension SQL Injection
FreePBX versions prior to 16.0.44,16.0.92 and 17.0.23,17.0.6 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61675, in the context of this module. The versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new administrative user.
2025-10-14
Published