Dec 15, 2025Ravie LakshmananVulnerability / Software program Safety
A number of safety vulnerabilities have been disclosed within the open-source personal department change (PBX) platform FreePBX, together with a important flaw that might end in an authentication bypass below sure configurations.
The shortcomings, found by Horizon3.ai and reported to the challenge maintainers on September 15, 2025, are listed beneath –
CVE-2025-61675 (CVSS rating: 8.6) – Quite a few authenticated SQL injection vulnerabilities impacting 4 distinctive endpoints (basestation, mannequin, firmware, and customized extension) and 11 affected parameters that allow learn and write entry to the underlying SQL database
CVE-2025-61678 (CVSS rating: 8.6) – An authenticated arbitrary file add vulnerability that permits an attacker to use the firmware add endpoint to add a PHP net shell after acquiring a legitimate PHPSESSID and run arbitrary instructions to leak the contents of delicate information (e.g., “/and so on/passwd”)
CVE-2025-66039 (CVSS rating: 9.3) – An authentication bypass vulnerability that happens when the “Authorization Kind” (aka AUTHTYPE) is ready to “webserver,” permitting an attacker to log in to the Administrator Management Panel through a solid Authorization header
It is price mentioning right here that the authentication bypass will not be weak within the default configuration of FreePBX, on condition that the “Authorization Kind” possibility is barely displayed when the three following values within the Superior Settings Particulars are set to “Sure”:
Show Pleasant Identify
Show Readonly Settings, and
Override Readonly Settings
Nonetheless, as soon as the prerequisite is met, an attacker might ship crafted HTTP requests to sidestep authentication and insert a malicious consumer into the “ampusers” database desk, successfully engaging in one thing just like CVE-2025-57819, one other flaw in FreePBX that was disclosed as having been actively exploited within the wild in September 2025.
“These vulnerabilities are simply exploitable and allow authenticated/unauthenticated distant attackers to attain distant code execution on weak FreePBX situations,” Horizon3.ai safety researcher Noah King mentioned in a report printed final week.
The problems have been addressed within the following variations –
CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (Mounted on October 14, 2025)
CVE-2025-66039 – 16.0.44 and 17.0.23 (Mounted on December 9, 2025)
As well as, the choice to decide on an authentication supplier has now been faraway from Superior Settings and requires customers to set it manually via the command-line utilizing fwconsole. As momentary mitigations, FreePBX has really useful that customers set “Authorization Kind” to “usermanager,” set “Override Readonly Settings” to “No,” apply the brand new configuration, and reboot the system to disconnect any rogue periods.
“For those who did discover that net server AUTHTYPE was enabled inadvertently, then it is best to totally analyze your system for indicators of any potential compromise,” it mentioned.
Customers are additionally displayed a warning on the dashboard, stating “webserver” might provide diminished safety in comparison with “usermanager.” For optimum safety, it is suggested to keep away from utilizing this authentication sort.
“It is vital to notice that the underlying weak code continues to be current and depends on authentication layers in entrance to offer safety and entry to the FreePBX occasion,” King mentioned. “It nonetheless requires passing an Authorization header with a Fundamental base64 encoded username:password.”
“Relying on the endpoint, we observed a legitimate username was required. In different circumstances, such because the file add shared above, a legitimate username will not be required, and you may obtain distant code execution with a number of steps, as outlined. It’s best observe to not use the authentication sort webserver because it seems to be legacy code.”
