Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations.
The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below –
- CVE-2025-61675 (CVSS score: 8.6) – Numerous authenticated SQL injection vulnerabilities impacting four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database
- CVE-2025-61678 (CVSS score: 8.6) – An authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (e.g., “/etc/passwd”)
- CVE-2025-66039 (CVSS score: 9.3) – An authentication bypass vulnerability that occurs when the “Authorization Type” (aka AUTHTYPE) is set to “webserver,” allowing an attacker to log in to the Administrator Control Panel via a forged Authorization header
It’s worth mentioning here that the authentication bypass is not vulnerable in the default configuration of FreePBX, given that the “Authorization Type” option is only displayed when the three following values in the Advanced Settings Details are set to “Yes”:
- Display Friendly Name
- Display Readonly Settings, and
- Override Readonly Settings
However, once the prerequisite is met, an attacker could send crafted HTTP requests to sidestep authentication and insert a malicious user into the “ampusers” database table, effectively accomplishing something similar to CVE-2025-57819, another flaw in FreePBX that was disclosed as having been actively exploited in the wild in September 2025.
“These vulnerabilities are easily exploitable and enable authenticated/unauthenticated remote attackers to achieve remote code execution on vulnerable FreePBX instances,” Horizon3.ai security researcher Noah King said in a report published last week.
The issues have been addressed in the following versions –
- CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (Fixed on October 14, 2025)
- CVE-2025-66039 – 16.0.44 and 17.0.23 (Fixed on December 9, 2025)
In addition, the option to choose an authentication provider has now been removed from Advanced Settings and requires users to set it manually through the command-line using fwconsole. As temporary mitigations, FreePBX has recommended that users set “Authorization Type” to “usermanager,” set “Override Readonly Settings” to “No,” apply the new configuration, and reboot the system to disconnect any rogue sessions.
“If you did find that web server AUTHTYPE was enabled inadvertently, then you should fully analyze your system for signs of any potential compromise,” it said.
Users are also displayed a warning on the dashboard, stating “webserver” may offer reduced security compared to “usermanager.” For optimal protection, it’s advised to avoid using this authentication type.
“It’s important to note that the underlying vulnerable code is still present and relies on authentication layers in front to provide security and access to the FreePBX instance,” King said. “It still requires passing an Authorization header with a Basic base64 encoded username:password.”
“Depending on the endpoint, we noticed a valid username was required. In other cases, such as the file upload shared above, a valid username is not required, and you can achieve remote code execution with a few steps, as outlined. It is best practice not to use the authentication type webserver as it appears to be legacy code.”