Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in authentication bypass under certain configurations.
The vulnerabilities discovered by Horizon3.ai and reported to project maintainers on September 15, 2025 are listed below –
- CVE-2025-61675 (CVSS Score: 8.6) – Multiple certified SQL injection vulnerabilities impact four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database.
- CVE-2025-61678 (CVSS Score: 8.6) – A documented arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell to a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (for example, “/etc/passwd”)
- CVE-2025-66039 (CVSS Score: 9.3) – An authentication bypass vulnerability that occurs when the “Authorization Type” (aka AUTHTYPE) is set to “Webserver”, allowing an attacker to log in to the Administrator Control Panel via a forged Authorization header.
It is worth mentioning here that authentication bypass is not unsafe in the default configuration of FreePBX, given that the “Authorization Type” option is only displayed if the following three values in the Advanced Settings description are set to “Yes”:
- display friendly name
- Display read-only settings, and
- Override read-only settings
However, once the condition is met, an attacker can send crafted HTTP requests to bypass authentication and insert a malicious user into the “empusers” database table, effectively accomplishing something similar to CVE-2025-57819, another flaw in FreePBX that was disclosed as being actively exploited in the wild in September 2025.
“These vulnerabilities are easily exploitable and enable authenticated/unauthenticated remote attackers to achieve remote code execution on vulnerable FreePBX instances,” Horizon3.ai security researcher Noah King said in a report published last week.
The issues have been addressed in the following versions –
- CVE-2025-61675 And CVE-2025-61678 – 16.0.92 and 17.0.6 (fixed on October 14, 2025)
- CVE-2025-66039 – 16.0.44 and 17.0.23 (scheduled for December 9, 2025)
Additionally, the option to choose authentication provider is now removed from Advanced Settings and users need to set it manually via command-line using fwconsole. As a temporary mitigation, FreePBX recommends that users set the “Authorization Type” to “User Manager”, set the “Override read-only settings” to “No”, apply the new configuration, and reboot the system to disconnect any corrupted sessions.
It says, “If you discovered that Web Server AUTHTYPE was inadvertently enabled, you should thoroughly analyze your system for any signs of potential compromise.”
Users are also displayed a warning on the dashboard, stating that “WebServer” may provide less security than “UserManager”. For optimal security, it is recommended to avoid using this authentication type.
“It is important to note that the underlying vulnerable code still exists and relies on authentication layers to provide security and access to the FreePBX instance,” King said. “This still requires passing an Authorization header with the basic base64 encoded username:password.”
“Based on the last point, we noticed that a valid username was required. In other cases, such as the file upload shared above, a valid username is not required, and as mentioned, you can achieve remote code execution with a few steps. It is a best practice to not use the authentication type webserver as this appears to be legacy code.”
