Multiple security vulnerabilities have been disclosed in the open source private branch exchange (PBX) platform FreePBX, including a critical flaw that could lead to authentication bypass under certain configurations.
The shortcomings discovered by Horizon3.ai and reported to the project administrator on September 15, 2025 are as follows:
CVE-2025-61675 (CVSS Score: 8.6) – Numerous authenticated SQL injection vulnerabilities affecting 4 unique endpoints (base station, model, firmware, custom extensions) and 11 affected parameters that allow read and write access to the underlying SQL database CVE-2025-61678 (CVSS Score: 8.6) – Authenticated Arbitrary File Upload Vulnerability Allows Attacker to Exploit Firmware Upload Endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and execute arbitrary commands to leak the contents of sensitive files (e.g. “/etc/passwd”) CVE-2025-66039 (CVSS Score: 9.3) – “Authentication Type” (aka AUTHTYPE) An authentication bypass vulnerability that occurs when “webserver” is set to “webserver” allows an attacker to log into the administrator control panel. Forged authorization header
It is worth mentioning here that FreePBX’s default configuration is not vulnerable to authentication bypass, as the “Authentication Type” option only appears if the following three values are set to “Yes” in the advanced settings details:
Displaying friendly names Displaying read-only settings and overriding read-only settings
However, once the preconditions are met, an attacker could send a crafted HTTP request to bypass authentication and insert a malicious user into the “ampusers” database table, effectively accomplishing something similar to CVE-2025-57819, another FreePBX flaw that was revealed to be actively exploited in the wild in September 2025.
“These vulnerabilities can be easily exploited and allow an authenticated or unauthenticated remote attacker to remotely execute code on a vulnerable FreePBX instance,” Horizon3.ai security researcher Noah King said in a report published last week.
This issue is resolved in the following versions:
CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (fixed on October 14, 2025) CVE-2025-66039 – 16.0.44 and 17.0.23 (fixed on December 9, 2025)
Additionally, the option to select an authentication provider has been removed from advanced settings and users must configure it manually from the command line using fwconsole. As a temporary mitigation, FreePBX recommends that users set “Authentication Type” to “usermanager”, “Override Read-Only Settings” to “No”, apply the new configuration, and restart the system to disconnect the unauthorized session.
“If you discover that AUTHTYPE has been inadvertently enabled on your web server, you should thoroughly analyze your system for signs of potential compromise,” the magazine said.
Additionally, the user’s dashboard will display a warning that “webserver” may be less secure than “usermanager”. For best protection, we recommend that you avoid using this authentication type.
“It is important to note that the underlying vulnerable code is still present and relies on the front authentication layer to provide security and access to the FreePBX instance,” King said. “You must pass an Authorization header containing a basic Base64-encoded username:password.”
“I’ve found that some endpoints require a valid username. Other cases, such as the file upload I shared above, don’t require a valid username. As explained, remote code execution can be achieved in a few steps. Authentication-type web servers appear to be legacy code, so I recommend not using them.”
Source link
