- Several security vulnerabilities were found in the open-source PBX platform FreePBX, including a critical authentication bypass.
- The flaws include SQL injection, arbitrary file upload, and authentication bypass vulnerabilities, all disclosed after discovery in September 2025.
- The critical authentication bypass affects systems configured with the “webserver” Authorization Type and allows unauthorized administrative access.
- These vulnerabilities have been fixed in recent software versions, and temporary mitigations are recommended until updates are applied.
- Users are advised to avoid the legacy “webserver” authentication type due to reduced security risks.
FreePBX, an open-source private branch exchange platform, was found to have multiple security vulnerabilities disclosed in December 2025. The issues were discovered by Horizon3.ai and reported on September 15, 2025. These vulnerabilities include a critical authentication bypass that can allow unauthorized access under certain configurations.
The disclosed security flaws are as follows:
– CVE-2025-61675: An authenticated SQL injection vulnerability affecting four endpoints and 11 parameters. This flaw allows attackers to read and modify the underlying SQL database with a CVSS score of 8.6.
– CVE-2025-61678: An authenticated arbitrary file upload vulnerability. Attackers with a valid PHPSESSID can upload a PHP web shell through the firmware upload endpoint, execute arbitrary commands, and access sensitive files such as “/etc/passwd” (CVSS score: 8.6).
– CVE-2025-66039: A high-severity authentication bypass vulnerability (CVSS score: 9.3). When the “Authorization Type” is set to “webserver,” attackers can log in to the Administrator Control Panel using a forged Authorization header.
This authentication bypass is not exploitable by default since the “Authorization Type” option appears only if three specific settings—Display Friendly Name, Display Readonly Settings, and Override Readonly Settings—are all enabled in the Advanced Settings panel. If enabled, attackers can bypass authentication and insert malicious users into the “ampusers” database, similar to a previously known vulnerability, CVE-2025-57819, which was actively exploited in September 2025.
“These vulnerabilities are easily exploitable and enable authenticated/unauthenticated remote attackers to achieve remote code execution on vulnerable FreePBX instances,” stated Horizon3.ai security researcher Noah King. The flaws were fixed in versions 16.0.92 and 17.0.6 (October 14, 2025) for CVE-2025-61675 and CVE-2025-61678, and versions 16.0.44 and 17.0.23 (December 9, 2025) for CVE-2025-66039.
Additional security measures include the removal of the authentication provider selection from Advanced Settings; users must now configure it manually via the command line using fwconsole. Temporary mitigations suggest setting “Authorization Type” to “usermanager,” disabling “Override Readonly Settings,” applying configurations, and rebooting the system to terminate unauthorized sessions.
Users are warned on the dashboard that the “webserver” authentication type may offer reduced security compared to “usermanager” and should be avoided. “It is best practice not to use the authentication type webserver as it appears to be legacy code,” King emphasized.
The vulnerabilities exploit exposed code that depends on additional authentication layers to protect access, requiring an Authorization header with valid credentials in some cases, while others enable remote code execution without valid usernames. Users should analyze their systems thoroughly if “webserver” authentication was enabled inadvertently.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Sberbank Tests DeFi Products, Eyes Ethereum Integration in Crypto Push
- UK Supreme Court Rejects $12B BSV Appeal Against Crypto Exchanges
- Prediction Markets Surge to $10B Monthly Amid Institutional Interest
- Brazil VP: BRICS Seeks Dollar Alternative, Not Replacement
- Mantra vs OKX Feud Sparks Legal Drama Amid 99% OM Crash
