Full Report
Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below - CVE-2025-61675 (CVSS score: 8.6) - Numerous
Analysis Summary
# Vulnerability: Multiple Flaws in FreePBX, Including SQLi, File Upload, and Authentication Bypass Leading to RCE
## CVE Details
- CVE ID: CVE-2025-61675, CVE-2025-61678, CVE-2025-66039
- CVSS Score: 8.6 (High) for CVE-2025-61675; 8.6 (High) for CVE-2025-61678; 9.3 (Critical) for CVE-2025-66039
- CWE: Not specified in detail, but related to SQL Injection (CWE-89), Arbitrary File Upload (CWE-434), and Authentication Bypass.
## Affected Systems
- Products: FreePBX open-source PBX platform.
- Versions:
- CVE-2025-61675 & CVE-2025-61678: Versions prior to 16.0.92 and 17.0.6.
- CVE-2025-66039: Versions prior to 16.0.44 and 17.0.23.
- Configurations:
- CVE-2025-66039 (Auth Bypass): Only vulnerable when "Authorization Type" (AUTHTYPE) in Advanced Settings Details is set to "webserver" AND the following prerequisite settings are met: "Display Friendly Name" is "Yes", "Display Readonly Settings" is "Yes", and "Override Readonly Settings" is "Yes".
## Vulnerability Description
The disclosed flaws allow authenticated and unauthenticated remote attackers to achieve Remote Code Execution (RCE):
1. **CVE-2025-61675 (SQL Injection):** Numerous authenticated SQL injection vulnerabilities exist across four endpoints (`basestation`, `model`, `firmware`, and `custom extension`) affecting 11 parameters. This allows attackers with authentication to read and write to the underlying SQL database.
2. **CVE-2025-61678 (Arbitrary File Upload):** An authenticated arbitrary file upload vulnerability permits an attacker (with a valid PHPSESSID) to exploit the firmware upload endpoint to upload a PHP web shell, resulting in arbitrary command execution and sensitive file leakage (e.g., `/etc/passwd`).
3. **CVE-2025-66039 (Authentication Bypass):** When the "Authorization Type" (AUTHTYPE) is specifically configured to "webserver," an attacker can bypass authentication by sending a forged Authorization header, allowing them to log directly into the Administrator Control Panel and insert a malicious user into the `ampusers` database table.
## Exploitation
- Status: Easily exploitable; described as enabling RCE for remote attackers.
- Complexity: Low to Medium. CVE-2025-61675 and CVE-2025-61678 require authentication (valid PHPSESSID/username/password may be needed depending on the endpoint), while CVE-2025-66039 can lead to unauthenticated login under specific configuration prerequisites.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Due to SQLi and ability to leak sensitive files like `/etc/passwd`).
- Integrity: High (Due to SQL write access and ability to inject a malicious user account via Auth Bypass).
- Availability: High (Achievable RCE could lead to total system compromise).
## Remediation
### Patches
- **CVE-2025-61675 & CVE-2025-61678:** Patched in versions **16.0.92** and **17.0.6** (Fixed October 14, 2025).
- **CVE-2025-66039:** Patched in versions **16.0.44** and **17.0.23** (Fixed December 9, 2025).
### Workarounds
1. Set "Authorization Type" to **"usermanager"** in Advanced Settings.
2. Set "Override Readonly Settings" to **"No"**.
3. Apply the new configuration and reboot the system to disconnect existing rogue sessions.
4. **Best Practice:** Avoid using the "webserver" authentication type entirely, as it is noted to be legacy code. Users whose systems were inadvertently using "webserver" should conduct a full compromise analysis. Furthermore, the option to select the authentication provider has been removed from Advanced Settings, requiring manual setting via `fwconsole`.
## Detection
- **Indicators of Compromise:** Presence of unexpected users in the `ampusers` database table; unexpected file uploads in web-accessible directories (especially PHP shells); unauthorized SQL queries logged in database activity; successful authentication activities from unexpected IPs/users around the patch dates.
- **Detection Methods and Tools:** Review system access logs for unusual `Authorization` header usage; utilize system monitoring tools to detect remote command execution patterns originating from the FreePBX application layer.
## References
- Vendor Advisory Root Link: hxxps://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/
- GHSA for CVE-2025-61675: hxxps://github.com/FreePBX/security-reporting/security/advisories/GHSA-292p-rj6h-54cp
- GHSA for CVE-2025-61678: hxxps://github.com/FreePBX/security-reporting/security/advisories/GHSA-7p8x-8m3m-58j9
- GHSA for CVE-2025-66039: hxxps://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698
- Article URL: hxxps://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html