cbcvebase.
CVE-2025-61678
published 2025-10-14

CVE-2025-61678: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to…

PriorityP279high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
50.16%
98.8th percentile
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

Affected

2 ranges
VendorProductVersion rangeFixed in
freepbxendpointman< 16.0.9216.0.92
freepbxendpointman

Detection & IOCsextracted from sources · hover to see the quote

otherAuthorization: Basic cmfuzg9to (forged Basic auth header prefix)
path/admin/*.php?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678)"; flow:established,to_server; http.uri; content:"/admin/"; startswith; content:"|2e|php|3f|"; http.header; to_lowercase; content:"authorization|3a 20|basic cmfuzg9to"; fast_pattern; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61678; classtype:web-application-attack; sid:2067123; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_27, cve CVE_2025_61678, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /admin/*.php? URIs (URI contains /admin/ at start and .php? — bytes |2e|php|3f|) combined with a forged Basic Authorization header beginning with 'basic cmfuzg9to' (case-insensitive). This pattern is the exploitation fingerprint for the authentication bypass chained with the file upload.
  • The fwbrand parameter is the injection point for path traversal in the firmware upload functionality. Monitor multipart POST requests containing a fwbrand parameter with directory traversal sequences (e.g., ../) targeting the Endpoint Manager module.
  • CVE-2025-61678 is chained with CVE-2025-66039 (authentication bypass via Webserver Authorization Mode) in the Metasploit module to achieve unauthenticated RCE. Detections should consider both the auth bypass header and the subsequent file upload in the same session.
  • A public Metasploit module (freepbx_firmware_file_upload) exists for this CVE chain. Expect automated exploitation attempts; monitor for the module's characteristic request patterns against FreePBX admin interfaces.
  • ·The Snort/Suricata rule (ET sid:2067123) includes a 'tls_state TLSDecrypt' metadata tag, meaning it will only fire on TLS-decrypted traffic. Deployments without SSL/TLS inspection will miss encrypted exploitation attempts.
  • ·The authentication bypass (CVE-2025-66039) only applies when FreePBX is configured to use 'Webserver Authorization Mode'. Instances not using this mode are not vulnerable to the unauthenticated attack path, but CVE-2025-61678 (file upload) still requires valid credentials.
  • ·Exploitation of CVE-2025-61678 alone requires authentication with a known username. The unauthenticated RCE scenario requires chaining with CVE-2025-66039 and Webserver Authorization Mode being enabled.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.