Critical FreePBX Vulnerabilities: CVE-2025-66039, CVE-2025-61675, CVE-2025-61675

FreePBX, a widely deployed open-source IP PBX management tool, serves as a critical component in Voice over IP (VoIP) infrastructures for businesses globally. Due to its role in managing communications, these systems often require high availability and relatively open access, making them attractive targets for threat actors.

Recent security assessments have identified multiple critical vulnerabilities within the FreePBX ecosystem. These include an authentication bypass vulnerability (CVE-2025-66039), multiple authenticated SQL injection flaws (CVE-2025-61675), and an authenticated arbitrary file upload vulnerability leading to Remote Code Execution (RCE) (CVE-2025-61678). While some of these flaws technically require authentication, the discovery of the authentication bypass mechanism allows unauthenticated attackers to chain these vulnerabilities, effectively granting full remote control over the target system.

What is FreePBX?

FreePBX functions as the central node of a complex telecommunications ecosystem, bridging connections between the PSTN, ITSP, and SIP trunks.

Beyond these network links, the system manages a diverse range of endpoints, including analog and digital gateways, physical phones, and various software clients for desktop or mobile users. Because accommodating this extensive connectivity requires keeping multiple interfaces open to external networks and remote users, the appliance inherently faces a significantly expanded potential attack surface.

How Does the CVE-2025-66039 Authentication Bypass Vulnerability in FreePBX Work?

The most critical link in this kill chain is CVE-2025-66039, an authentication bypass vulnerability affecting the "webserver" authentication type configuration in FreePBX.

FreePBX supports multiple authentication mechanisms, configured via "Advanced Settings." Options include database, none, usermanager, and webserver. The vulnerability resides specifically within the webserver authentication flow. This method delegates authentication security to the Apache web server layer.

Analysis of the gui_auth.php file revealed a flaw in how the application handles session creation when this mode is active. The application checks for the PHP_AUTH_USER key in the server variables. 

If an attacker sends a request with a valid username (e.g., admin) in the Authorization header, FreePBX initializes a session for that user without verifying the password. This allows for complete bypass of the authentication mechanism.

How Do SQL Injection Vulnerabilities in FreePBX (CVE-2025-61675) Work?

Following the authentication bypass, or with valid credentials, multiple SQL injection (SQLi) vulnerabilities were identified within the Endpoint Management module. These flaws allow attackers to read from or write to the database.

It was observed that 4 unique views and 11 parameters are affected. These views are basestation, firmware, basefile, and customExt. The combination of view (customExt) and parameter (id) shown below allows you to insert users into a table:

Vulnerable parameters for each view are shown below [1]:

How Does the CVE-2025-61678 Arbitrary File Upload and Remote Code Execution Vulnerability in FreePBX Work?

With authentication bypassed, attackers can leverage the Endpoint Manager Custom Firmware Management feature to upload malicious files.

The upload_cust_fw argument in this feature is intended for uploading phone firmware. However, it was observed that the application fails to adequately validate the file content or the destination path. The vulnerability is exploited in two steps:

1. Session Acquisition: A GET request is sent to /admin/config.php, applying the authentication bypass technique mentioned above to obtain a valid PHPSESSID.
2. Webshell Upload: A POST request is constructed to upload a PHP webshell. The fwbrand parameter is manipulated to traverse directories (../../../var/www/html), placing the file in the web root.

The upload request is shown below:

Upon successful upload, the webshell is accessible at /webshell.php. An attacker can then execute arbitrary system commands. An example command to read the /etc/passwd file on the target server is shown below:

The response proves the exploitation was successful:

How Picus Helps Simulate FreePBX CVE-2025-61675 Attacks?

We also strongly suggest simulating the FreePBX CVE-2025-61675 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for FreePBX CVE-2025-61675 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• FreePBX acts as a central node in Voice over IP (VoIP) infrastructures, managing connections for PSTN, ITSP, SIP trunks, and various endpoints, which inherently expands its potential attack surface due to required open interfaces.
• Recent security assessments identified three critical vulnerabilities within the FreePBX ecosystem: an authentication bypass (CVE-2025-66039), multiple SQL injection flaws (CVE-2025-61675), and an arbitrary file upload vulnerability leading to Remote Code Execution (CVE-2025-61678).
• Unauthenticated attackers can chain these vulnerabilities to gain full remote control of the system, using the authentication bypass to access flaws that typically require valid credentials.
• CVE-2025-66039 allows attackers to bypass the "webserver" authentication mechanism by sending a request with a valid username in the Authorization header, which forces the system to initialize a session without password verification.
• The SQL injection vulnerabilities (CVE-2025-61675) reside in the Endpoint Management module across four unique views (basestation, firmware, basefile, and customExt), allowing attackers to read from or write to the database, such as inserting new users.
• CVE-2025-61678 enables Remote Code Execution (RCE) through the Endpoint Manager Custom Firmware Management feature, where the application fails to validate file content or destination paths during uploads.
• Attackers exploit the RCE vulnerability by manipulating the fwbrand parameter to perform directory traversal, allowing them to place a malicious PHP webshell directly into the web root for execution.

References

[1] The Hacker News, “FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE,” The Hacker News. Accessed: Jan. 12, 2026. [Online]. Available: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html