cbcvebase.
CVE-2025-61675
published 2025-10-14

CVE-2025-61675: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to…

PriorityP277high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
38.96%
98.4th percentile
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

Affected

2 ranges
VendorProductVersion rangeFixed in
freepbxendpoint< 16.0.9216.0.92
freepbxendpoint

Detection & IOCsextracted from sources · hover to see the quote

url/admin/config.php?view=basefile
url/admin/config.php?view=firmware
url/admin/config.php?view=customExt
url/admin/config.php?view=basestation
path/admin/config.php
othercron_jobs table SQL injection record injection for RCE
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basefile"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:model|brand|id|template|OID)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066761; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|firmware"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)brand\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066760; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|customExt"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)id\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066762; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basestation"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:name|brand|template|ac)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066759; rev:1;)
  • Monitor POST requests to /admin/config.php with view=basestation containing SQLi characters (' " ; - \ * /) in the name, brand, template, or ac parameters (sid:2066759)
  • Monitor POST requests to /admin/config.php with view=firmware containing SQLi characters in the brand parameter (sid:2066760)
  • Monitor POST requests to /admin/config.php with view=basefile containing SQLi characters in model, brand, id, template, or OID parameters (sid:2066761)
  • Monitor POST requests to /admin/config.php with view=customExt containing SQLi characters in the id parameter (sid:2066762)
  • CVE-2025-61675 can be chained with CVE-2025-66039 (auth bypass via Webserver Authorization Mode) to achieve unauthenticated SQL injection; look for exploitation attempts without valid session credentials
  • Watch for new administrative user creation via SQL injection in the custom extension component, a post-exploitation indicator of the gather module
  • Monitor the cron_jobs database table for unexpected new entries, which may indicate RCE via SQL injection payload
  • ·Authentication is required to exploit CVE-2025-61675 in isolation; however, chaining with CVE-2025-66039 (auth bypass) removes this requirement when Webserver Authorization Mode is enabled
  • ·The auth bypass (CVE-2025-66039) only applies when the admin has enabled Webserver Authorization Mode; deployments not using this mode are not exposed to the unauthenticated attack chain
  • ·Snort rules reference TLSDecrypt metadata, meaning traffic inspection requires TLS decryption to be effective for HTTPS-protected FreePBX deployments
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.