Multiple vulnerabilities have been identified in the open-source private branch exchange (PBX) platform FreePBX, including a serious flaw that can lead to authentication bypass in specific configurations. These vulnerabilities, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, include:
-
CVE-2025-61675 (CVSS score: 8.6): This vulnerability encompasses several authenticated SQL injection issues affecting four different endpoints (basestation, model, firmware, and custom extension) across 11 parameters, facilitating both read and write access to the underlying SQL database.
-
CVE-2025-61678 (CVSS score: 8.6): This flaw allows authenticated attackers to exploit the firmware upload endpoint to upload a PHP web shell by acquiring a valid PHP session ID, enabling them to execute arbitrary commands that could leak sensitive information such as the content of system files.
-
CVE-2025-66039 (CVSS score: 9.3): The authentication bypass vulnerability, which becomes active when the "Authorization Type" (AUTHTYPE) is set to "webserver," permits attackers to access the Administrator Control Panel using a forged Authorization header.
It’s crucial to highlight that this authentication bypass vulnerability does not affect FreePBX’s default setup, as the "Authorization Type" configuration only appears when specific values in the Advanced Settings are enabled:
- Display Friendly Name
- Display Readonly Settings
- Override Readonly Settings
If these conditions are met, an attacker could craft HTTP requests to bypass authentication and insert malicious users into the "ampusers" database, reminiscent of another flaw, CVE-2025-57819, which had been previously reported as actively exploited.
Noah King, a researcher at Horizon3.ai, remarked that these vulnerabilities can be easily exploited by both authenticated and unauthenticated remote attackers, enabling them to execute code remotely on susceptible FreePBX instances.
To address these issues, patches have been released in the following versions:
- CVE-2025-61675 and CVE-2025-61678: Fixed in versions 16.0.92 and 17.0.6 as of October 14, 2025.
- CVE-2025-66039: Resolved in versions 16.0.44 and 17.0.23 on December 9, 2025.
Furthermore, FreePBX has removed the option to select an authentication provider from the Advanced Settings and mandates users to set it manually using command-line tools. For immediate mitigation, users are advised to change the "Authorization Type" to "usermanager," set the "Override Readonly Settings" to "No," and reboot their systems to terminate any unauthorized sessions.
FreePBX has also issued a warning on user dashboards indicating that using the "webserver" authentication method may compromise system security compared to "usermanager." Users are encouraged to analyze their systems for potential compromises if web server AUTHTYPE was inadvertently enabled.
King emphasized that although the vulnerable code still exists, access to FreePBX will largely depend on the authentication safeguards in place, underscoring the importance of adhering to security best practices by avoiding the use of legacy authentication types.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.