Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations.
The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below –
- CVE-2025-61675 (CVSS score: 8.6) – Numerous authenticated SQL injection vulnerabilities impacting four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database
- CVE-2025-61678 (CVSS score: 8.6) – An authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (e.g., “/etc/passwd”)
- CVE-2025-66039 (CVSS score: 9.3) – An authentication bypass vulnerability that occurs when the “Authorization Type” (aka AUTHTYPE) is set to “webserver,” allowing an attacker to log in to the Administrator Control Panel via a forged Authorization header
It’s worth mentioning here that the authentication bypass is not vulnerable in the default configuration of FreePBX, given that the “Authorization Type” option is only displayed when the three following values in the Advanced Settings Details are set to “Yes”:
- Display Friendly Name
- Display Readonly Settings, and
- Override Readonly Settings
However, once the prerequisite is met, an attacker could send crafted HTTP requests to sidestep authentication and insert a malicious user into the “ampusers” database table, effectively accomplishing something similar to CVE-2025-57819, another flaw in FreePBX that was disclosed as having been actively exploited in the wild in September 2025.
“These vulnerabilities are easily exploitable and enable authenticated/unauthenticated remote attackers to achieve remote code execution on vulnerable FreePBX instances,” Horizon3.ai security researcher Noah King said in a report published last week.
The issues have been addressed in the following versions –
- CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (Fixed on October 14, 2025)
- CVE-2025-66039 – 16.0.44 and 17.0.23 (Fixed on December 9, 2025)
In addition, the option to choose an authentication provider has now been removed from Advanced Settings and requires users to set it manually through the command-line using fwconsole. As temporary mitigations, FreePBX has recommended that users set “Authorization Type” to “usermanager,” set “Override Readonly Settings” to “No,” apply the new configuration, and reboot the system to disconnect any rogue sessions.
“If you did find that web server AUTHTYPE was enabled inadvertently, then you should fully analyze your system for signs of any potential compromise,” it said.
Users are also displayed a…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
