Key Takeaways
- Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations.
- The vulnerabilities, discovered by Horizon3.ai, include CVE-2025-61675, CVE-2025-61678, and CVE-2025-66039, with CVSS scores ranging from 8.6 to 9.3.
- The issues have been addressed in versions 16.0.92, 17.0.6, 16.0.44, and 17.0.23, and users are recommended to set "Authorization Type" to "usermanager" and apply temporary mitigations to prevent potential compromise.
Introduction to FreePBX Vulnerabilities
The open-source private branch exchange (PBX) platform FreePBX has been found to have multiple security vulnerabilities, including a critical flaw that could result in an authentication bypass under certain configurations. These vulnerabilities, discovered by Horizon3.ai, were reported to the project maintainers on September 15, 2025, and have been listed as CVE-2025-61675, CVE-2025-61678, and CVE-2025-66039, with CVSS scores ranging from 8.6 to 9.3. The CVSS score is a measure of the severity of a vulnerability, with higher scores indicating a greater potential impact.
Details of the Vulnerabilities
CVE-2025-61675 is an authenticated SQL injection vulnerability that impacts four unique endpoints and 11 affected parameters, enabling read and write access to the underlying SQL database. CVE-2025-61678 is an authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files. CVE-2025-66039 is an authentication bypass vulnerability that occurs when the "Authorization Type" is set to "webserver," allowing an attacker to log in to the Administrator Control Panel via a forged Authorization header. This vulnerability is not present in the default configuration of FreePBX, but can be exploited if the "Authorization Type" option is set to "webserver" and certain prerequisites are met.
Impact and Exploitation
The vulnerabilities are easily exploitable and enable authenticated/unauthenticated remote attackers to achieve remote code execution on vulnerable FreePBX instances. An attacker could send crafted HTTP requests to sidestep authentication and insert a malicious user into the "ampusers" database table, effectively accomplishing something similar to CVE-2025-57819, another flaw in FreePBX that was disclosed as having been actively exploited in the wild in September 2025. The issues have been addressed in versions 16.0.92, 17.0.6, 16.0.44, and 17.0.23, and users are recommended to set "Authorization Type" to "usermanager" and apply temporary mitigations to prevent potential compromise.
Mitigations and Recommendations
As temporary mitigations, FreePBX has recommended that users set "Authorization Type" to "usermanager," set "Override Readonly Settings" to "No," apply the new configuration, and reboot the system to disconnect any rogue sessions. Users are also displayed a warning on the dashboard, stating "webserver" may offer reduced security compared to "usermanager." For optimal protection, it’s advised to avoid using this authentication type. The option to choose an authentication provider has now been removed from Advanced Settings and requires users to set it manually through the command-line using fwconsole. It’s also recommended to fully analyze the system for signs of any potential compromise if the "webserver" authentication type was enabled inadvertently.
Conclusion and Best Practices
In conclusion, the vulnerabilities disclosed in FreePBX are serious and can have significant impacts on the security of the platform. It’s essential for users to apply the recommended mitigations and follow best practices to prevent potential compromise. The underlying vulnerable code is still present and relies on authentication layers in front to provide security and access to the FreePBX instance. Therefore, it’s crucial to use a secure authentication type, such as "usermanager," and avoid using the "webserver" authentication type, which appears to be legacy code. By following these recommendations and staying up-to-date with the latest security patches, users can help ensure the security and integrity of their FreePBX instances.
/file/dailymaverick/wp-content/uploads/2023/09/A7R0186.jpg?w=300&resize=300,300&ssl=1 "Nine Dead in Mysterious Attack as Municipality Requests Military Intervention")