A number of security vulnerabilities have been disclosed within the open-source personal department alternate (PBX) platform FreePBX, together with a crucial flaw that would lead to an authentication bypass underneath sure configurations.
The shortcomings, found by Horizon3.ai and reported to the mission maintainers on September 15, 2025, are listed beneath –
- CVE-2025-61675 (CVSS rating: 8.6) – Quite a few authenticated SQL injection vulnerabilities impacting 4 distinctive endpoints (basestation, mannequin, firmware, and customized extension) and 11 affected parameters that allow learn and write entry to the underlying SQL database
- CVE-2025-61678 (CVSS rating: 8.6) – An authenticated arbitrary file add vulnerability that permits an attacker to use the firmware add endpoint to add a PHP internet shell after acquiring a sound PHPSESSID and run arbitrary instructions to leak the contents of delicate information (e.g., “/and many others/passwd”)
- CVE-2025-66039 (CVSS rating: 9.3) – An authentication bypass vulnerability that happens when the “Authorization Kind” (aka AUTHTYPE) is about to “webserver,” permitting an attacker to log in to the Administrator Management Panel by way of a cast Authorization header
It is value mentioning right here that the authentication bypass just isn’t susceptible within the default configuration of FreePBX, on condition that the “Authorization Kind” choice is simply displayed when the three following values within the Superior Settings Particulars are set to “Sure”:
- Show Pleasant Identify
- Show Readonly Settings, and
- Override Readonly Settings
Nevertheless, as soon as the prerequisite is met, an attacker might ship crafted HTTP requests to sidestep authentication and insert a malicious person into the “ampusers” database desk, successfully engaging in one thing just like CVE-2025-57819, one other flaw in FreePBX that was disclosed as having been actively exploited within the wild in September 2025.
“These vulnerabilities are simply exploitable and allow authenticated/unauthenticated distant attackers to attain distant code execution on susceptible FreePBX cases,” Horizon3.ai security researcher Noah King stated in a report printed final week.
The problems have been addressed within the following variations –
- CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (Mounted on October 14, 2025)
- CVE-2025-66039 – 16.0.44 and 17.0.23 (Mounted on December 9, 2025)
As well as, the choice to decide on an authentication supplier has now been faraway from Superior Settings and requires customers to set it manually by the command-line utilizing fwconsole. As short-term mitigations, FreePBX has really helpful that customers set “Authorization Kind” to “usermanager,” set “Override Readonly Settings” to “No,” apply the brand new configuration, and reboot the system to disconnect any rogue classes.
“If you happen to did discover that internet server AUTHTYPE was enabled inadvertently, then you must absolutely analyze your system for indicators of any potential compromise,” it stated.
Customers are additionally displayed a warning on the dashboard, stating “webserver” might supply decreased security in comparison with “usermanager.” For optimum safety, it is suggested to keep away from utilizing this authentication sort.
“It is essential to notice that the underlying susceptible code continues to be current and depends on authentication layers in entrance to offer security and entry to the FreePBX occasion,” King stated. “It nonetheless requires passing an Authorization header with a Fundamental base64 encoded username:password.”
“Relying on the endpoint, we observed a sound username was required. In different instances, such because the file add shared above, a sound username just isn’t required, and you’ll obtain distant code execution with a number of steps, as outlined. It’s best apply to not use the authentication sort webserver because it seems to be legacy code.”
