cbcvebase.
CVE-2025-66039
published 2025-12-09

CVE-2025-66039: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.98%
85.6th percentile
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Affected

4 ranges
VendorProductVersion rangeFixed in
freepbxframework< 16.0.4416.0.44
freepbxframework
sangomafreepbx< 16.0.4416.0.44
sangomafreepbx>= 17.0.1 < 17.0.2317.0.23

Detection & IOCsextracted from sources · hover to see the quote

url/admin/config.php?view=basefile
url/admin/config.php?view=firmware
url/admin/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via model Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|basefile"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)(?:model|brand|id|template|OID)\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066761; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678)"; flow:established,to_server; http.uri; content:"/admin/"; startswith; content:"|2e|php|3f|"; http.header; to_lowercase; content:"authorization|3a 20|basic cmfuzg9to"; fast_pattern; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61678; classtype:web-application-attack; sid:2067123; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX Authenticated SQL Injection via firmware Configuration (CVE-2025-61675)"; flow:established,to_server; http.uri; content:"/admin/config.php|3f|"; content:"view|3d|firmware"; fast_pattern; distance:0; http.request_body; pcre:"/(?:^|\x26)brand\x3d[^\x26]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/"; http.method; content:"POST"; reference:url,horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/; reference:cve,2025-61675; classtype:web-application-attack; sid:2066760; rev:1;)
  • Authentication bypass (CVE-2025-66039) is triggered by sending any arbitrary Authorization header value to /admin/*.php endpoints when FreePBX is configured to use Webserver Authorization Mode. Detect POST requests to /admin/*.php? containing an Authorization: Basic header with a non-standard/arbitrary base64 value (e.g., 'basic cmfuzg9to').
  • The exploit chain combines CVE-2025-66039 (auth bypass) with SQL injection CVEs (CVE-2025-61675/61678) to achieve unauthenticated RCE. Look for POST requests to /admin/config.php?view=basefile or ?view=firmware with SQL metacharacters (' " ; - \ * /) in body parameters (model, brand, id, template, OID).
  • RCE is achieved by injecting a malicious record into the cron_jobs database table, which FreePBX executes as OS-level cron tasks. Monitor for unexpected cron job creation or modification in FreePBX's database.
  • File upload RCE variant (CVE-2025-61678 chained with CVE-2025-66039) places a webshell in the web server's directory via path traversal in the firmware upload endpoint. Monitor for new PHP files appearing in web-accessible directories following POST requests to firmware upload endpoints.
  • SQL injection in the custom extension component can be used to create a new administrative user. Monitor for unexpected new admin account creation in FreePBX after POST requests to /admin/config.php?view=basefile.
  • ·CVE-2025-66039 (authentication bypass) is ONLY exploitable when the FreePBX admin has explicitly enabled 'Webserver Authorization Mode' as the authentication type. Default configurations are NOT affected.
  • ·The full unauthenticated RCE chain requires BOTH CVE-2025-66039 (auth bypass, fixed in 16.0.44 / 17.0.23) AND a secondary SQLi or file-upload CVE (CVE-2025-61675 fixed in 16.0.92 / 17.0.6; CVE-2025-61678 fixed in 16.0.92 / 17.0.6). Patching only one CVE breaks the chain but does not fully remediate.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.