CVE-2025-66039
published 2025-12-09CVE-2025-66039: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.98%
85.6th percentile
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freepbx | framework | < 16.0.44 | 16.0.44 |
| freepbx | framework | — | — |
| sangoma | freepbx | < 16.0.44 | 16.0.44 |
| sangoma | freepbx | >= 17.0.1 < 17.0.23 | 17.0.23 |
Detection & IOCsextracted from sources · hover to see the quote
url/admin/config.php?view=basefile
url/admin/config.php?view=firmware
url/admin/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basefile"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:model|brand|id|template|OID)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066761; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678)"; flow:established,to_server; http.uri; content:"/admin/"; startswith; content:"|2e|php|3f|"; http.header; to_lowercase; content:"authorization|3a 20|basic cmfuzg9to"; fast_pattern; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61678; classtype:web-application-attack; sid:2067123; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|firmware"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)brand\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066760; rev:1;)
- →Authentication bypass (CVE-2025-66039) is triggered by sending any arbitrary Authorization header value to /admin/*.php endpoints when FreePBX is configured to use Webserver Authorization Mode. Detect POST requests to /admin/*.php? containing an Authorization: Basic header with a non-standard/arbitrary base64 value (e.g., 'basic cmfuzg9to'). ↗
- →The exploit chain combines CVE-2025-66039 (auth bypass) with SQL injection CVEs (CVE-2025-61675/61678) to achieve unauthenticated RCE. Look for POST requests to /admin/config.php?view=basefile or ?view=firmware with SQL metacharacters (' " ; - \ * /) in body parameters (model, brand, id, template, OID). ↗
- →RCE is achieved by injecting a malicious record into the cron_jobs database table, which FreePBX executes as OS-level cron tasks. Monitor for unexpected cron job creation or modification in FreePBX's database. ↗
- →File upload RCE variant (CVE-2025-61678 chained with CVE-2025-66039) places a webshell in the web server's directory via path traversal in the firmware upload endpoint. Monitor for new PHP files appearing in web-accessible directories following POST requests to firmware upload endpoints. ↗
- →SQL injection in the custom extension component can be used to create a new administrative user. Monitor for unexpected new admin account creation in FreePBX after POST requests to /admin/config.php?view=basefile. ↗
- ·CVE-2025-66039 (authentication bypass) is ONLY exploitable when the FreePBX admin has explicitly enabled 'Webserver Authorization Mode' as the authentication type. Default configurations are NOT affected. ↗
- ·The full unauthenticated RCE chain requires BOTH CVE-2025-66039 (auth bypass, fixed in 16.0.44 / 17.0.23) AND a secondary SQLi or file-upload CVE (CVE-2025-61675 fixed in 16.0.92 / 17.0.6; CVE-2025-61678 fixed in 16.0.92 / 17.0.6). Patching only one CVE breaks the chain but does not fully remediate. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678)
suricata·2026-01-27·CVSS 8.6
CVE-2025-61678 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678)
ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678)"; flow:established,to_server; http.uri; content:"/admin/"; startswith; content:"|2e|php|3f|"; http.header; to_lowercase; content:"authorization|3a 20|basic cmfuzg9to"; fast_pattern; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61678; classtype:web-application-attack; sid:2067123; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_27, cve CVE_2025_61678, deployment Perimeter, deployment Internal, d
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-66039)
suricata·2026-01-27·CVSS 9.3
CVE-2025-66039 [CRITICAL] ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-66039)
ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-66039)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-66039)"; flow:established,to_server; http.uri; content:"/admin/"; startswith; content:"|2e|php|3f|"; http.header; to_lowercase; content:"authorization|3a 20|basic ywrtaw46"; fast_pattern; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-66039; classtype:web-application-attack; sid:2067120; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_27, cve CVE_2025_66039, deployment Perimeter, deployment Internal, de
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basefile"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:model|brand|id|template|OID)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066761; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve CVE_2
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|firmware"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)brand\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066760; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve CVE_2025_61675, deploymen
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via extension Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|customExt"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)id\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066762; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve CVE_2025_61675, deploymen
Suricata
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)
suricata·2026-01-15·CVSS 8.6
CVE-2025-61675 [HIGH] ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)
ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via baseline Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basestation"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:name|brand|template|ac)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066759; rev:1; metadata:affected_product FreePBX, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_15, cve C
Metasploit
FreePBX endpoint SQLi to RCE
metasploit·CVSS 8.6
CVE-2025-66039 [HIGH] FreePBX endpoint SQLi to RCE
FreePBX endpoint SQLi to RCE
FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack and gains remote code execution by injecting an SQL record into th cron_jobs table. The c
Metasploit
FreePBX Custom Extension SQL Injection
metasploit·CVSS 8.6
CVE-2025-66039 [HIGH] FreePBX Custom Extension SQL Injection
FreePBX Custom Extension SQL Injection
FreePBX versions prior to 16.0.44,16.0.92 and 17.0.23,17.0.6 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61675, in the context of this module. The versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new administrative user.
Metasploit
FreePBX firmware file upload
metasploit·CVSS 8.6
CVE-2025-66039 [HIGH] FreePBX firmware file upload
FreePBX firmware file upload
The FreePBX versions prior to 16.0.44,16.0.92 and 17.0.6,17.0.23 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61678, in the context of this module. The versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61678. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter allows unrestricted file uploads via firmware upload, including path traversal. These vulnerabilities allow unauthenticated remote code execution by bypassing authentication and placing a webshell in the web server's directory.
https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80
2025-12-09
Published