A number of safety vulnerabilities have been disclosed within the open-source personal department trade (PBX) platform FreePBX, together with a vital flaw that might end in an authentication bypass below sure configurations.
The shortcomings, found by Horizon3.ai and reported to the undertaking maintainers on September 15, 2025, are listed beneath –
- CVE-2025-61675 (CVSS rating: 8.6) – Quite a few authenticated SQL injection vulnerabilities impacting 4 distinctive endpoints (basestation, mannequin, firmware, and customized extension) and 11 affected parameters that allow learn and write entry to the underlying SQL database
- CVE-2025-61678 (CVSS rating: 8.6) – An authenticated arbitrary file add vulnerability that enables an attacker to use the firmware add endpoint to add a PHP internet shell after acquiring a sound PHPSESSID and run arbitrary instructions to leak the contents of delicate recordsdata (e.g., “/and so on/passwd”)
- CVE-2025-66039 (CVSS rating: 9.3) – An authentication bypass vulnerability that happens when the “Authorization Sort” (aka AUTHTYPE) is ready to “webserver,” permitting an attacker to log in to the Administrator Management Panel by way of a solid Authorization header
It is value mentioning right here that the authentication bypass shouldn’t be weak within the default configuration of FreePBX, provided that the “Authorization Sort” possibility is barely displayed when the three following values within the Superior Settings Particulars are set to “Sure”:
- Show Pleasant Title
- Show Readonly Settings, and
- Override Readonly Settings
Nonetheless, as soon as the prerequisite is met, an attacker might ship crafted HTTP requests to sidestep authentication and insert a malicious person into the “ampusers” database desk, successfully engaging in one thing much like CVE-2025-57819, one other flaw in FreePBX that was disclosed as having been actively exploited within the wild in September 2025.
“These vulnerabilities are simply exploitable and allow authenticated/unauthenticated distant attackers to attain distant code execution on weak FreePBX situations,” Horizon3.ai safety researcher Noah King stated in a report revealed final week.
The problems have been addressed within the following variations –
- CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (Mounted on October 14, 2025)
- CVE-2025-66039 – 16.0.44 and 17.0.23 (Mounted on December 9, 2025)
As well as, the choice to decide on an authentication supplier has now been faraway from Superior Settings and requires customers to set it manually by the command-line utilizing fwconsole. As momentary mitigations, FreePBX has really helpful that customers set “Authorization Sort” to “usermanager,” set “Override Readonly Settings” to “No,” apply the brand new configuration, and reboot the system to disconnect any rogue classes.
“In case you did discover that internet server AUTHTYPE was enabled inadvertently, then it’s best to totally analyze your system for indicators of any potential compromise,” it stated.
Customers are additionally displayed a warning on the dashboard, stating “webserver” might provide lowered safety in comparison with “usermanager.” For optimum safety, it is suggested to keep away from utilizing this authentication kind.
“It is essential to notice that the underlying weak code continues to be current and depends on authentication layers in entrance to supply safety and entry to the FreePBX occasion,” King stated. “It nonetheless requires passing an Authorization header with a Primary base64 encoded username:password.”
“Relying on the endpoint, we observed a sound username was required. In different instances, such because the file add shared above, a sound username shouldn’t be required, and you’ll obtain distant code execution with a couple of steps, as outlined. It’s best apply to not use the authentication kind webserver because it seems to be legacy code.”
