top of page
perceptive_background_267k.jpg

FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

Published:

15 December 2025 at 14:32:00

Alert date:

15 December 2025 at 15:01:25

Source:

thehackernews.com

Click to open the original link from this advisory

Enterprise Applications, Zero-Day Vulnerabilities, Identity & Access

Multiple critical security vulnerabilities were discovered in FreePBX, an open-source private branch exchange platform. The flaws include a critical authentication bypass vulnerability (CVE-2025-61675) with a CVSS score of 8.6, along with SQL injection and file upload vulnerabilities that can lead to remote code execution. The vulnerabilities were discovered by Horizon3.ai and reported to maintainers on September 15, 2025. FreePBX has released patches to address these security issues.

Technical details

Multiple vulnerabilities in FreePBX including: 1) CVE-2025-61675 - Authenticated SQL injection vulnerabilities impacting four endpoints (basestation, model, firmware, custom extension) with 11 affected parameters enabling read/write database access. 2) CVE-2025-61678 - Authenticated arbitrary file upload vulnerability allowing PHP web shell upload via firmware upload endpoint after obtaining valid PHPSESSID. 3) CVE-2025-66039 - Authentication bypass when Authorization Type is set to 'webserver', allowing login via forged Authorization header. The bypass requires specific Advanced Settings to be enabled: Display Friendly Name, Display Readonly Settings, and Override Readonly Settings all set to 'Yes'.

Mitigation steps:

Update to patched versions: 16.0.92/17.0.6 (for CVE-2025-61675 and CVE-2025-61678) or 16.0.44/17.0.23 (for CVE-2025-66039). Set Authorization Type to 'usermanager', set 'Override Readonly Settings' to 'No', apply configuration and reboot system to disconnect rogue sessions. Analyze systems for compromise if webserver AUTHTYPE was previously enabled. Avoid using 'webserver' authentication type as it appears to be legacy code with reduced security.

Affected products:

FreePBX (versions before 16.0.92 and 17.0.6 for CVE-2025-61675 and CVE-2025-61678)
FreePBX (versions before 16.0.44 and 17.0.23 for CVE-2025-66039)

Related links:

https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-292p-rj6h-54cp
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-7p8x-8m3m-58j9
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698
https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page