Researchers at penetration testing and security company Horizon3.ai have disclosed a series of high-impact vulnerabilities in FreePBX, a widely used open-source VoIP and IP PBX management platform, raising serious concerns for organizations running unpatched systems.
The findings detail multiple flaws that attackers could chain together to gain full remote code execution (RCE) on affected FreePBX instances. While some issues require authentication, others can be exploited under specific configurations without valid credentials.
Why FreePBX Matters
FreePBX deployments’ need to remain accessible and integrated with other services tend to expose large attack surfaces making them attractive targets for threat actors.
Three New CVEs, One Dangerous Attack Chain
Researchers identified and responsibly disclosed three previously unknown vulnerabilities, each now assigned its own CVE:
CVE-2025-66039 – Authentication bypass when FreePBX is configured to use “webserver” authentication
CVE-2025-61675 – Multiple SQL injection flaws across several FreePBX endpoints
CVE-2025-61678 – Arbitrary file upload leading to remote code execution
Each issue is serious and combined allow attackers to escalate from limited or forged access to full system compromise.
Authentication Bypass via Webserver Auth
The authentication bypass vulnerability involves FreePBX’s optional “webserver” authentication mode, which relies on Apache to handle access control instead of FreePBX’s default user management system.
Research found that when this mode is enabled, FreePBX trusts any request containing a Basic Authorization header with a valid username even if the password is incorrect. This design flaw allows attackers to bypass authentication entirely by forging headers.
This authentication type is not enabled by default, but it is available in advanced settings and may exist in legacy or custom deployments.
SQL Injection Opens the Door
Once authentication checks are bypassed (or when a valid session exists), attackers can exploit multiple SQL injection vulnerabilities across the FreePBX Endpoint Management module.
According to the research, at least 11 parameters across four endpoints were vulnerable, enabling attackers to:
Read sensitive data from the database
Add or modify administrative users
Inject malicious cron jobs that execute operating system commands
Because FreePBX uses database-driven scheduled tasks, SQL injection can quickly escalate into full remote code execution.
File Upload Flaw Enables Webshells
The most severe outcome comes from CVE-2025-61678, an arbitrary file upload vulnerability.
Researchers found that the firmware upload feature—intended for managing VoIP phone firmware—did not adequately validate file paths or content. Under certain conditions, attackers could upload arbitrary files, including PHP webshells, directly into the web-accessible directory.
Once uploaded, these files allow attackers to execute system commands remotely, effectively granting full control of the FreePBX server.
Horizon3.ai reports that the most dangerous attack path requires FreePBX to be configured with webserver authentication or no authentication at all, which does not appear to be common in default deployments.
However, internet-wide scans using Shodan show thousands of exposed FreePBX instances, meaning misconfigured or outdated systems remain a realistic target.
The SQL injection and file upload issues affect systems regardless of authentication type, although a valid session is typically required unless the auth bypass is present.
Patches and Mitigations Available
FreePBX has released updates addressing all three vulnerabilities. Users and organizations should ensure they are running one of the following patched versions:
- FreePBX 16.0.42 or later
- FreePBX 16.0.92
- FreePBX 17.0.6 or later
- FreePBX 17.0.22
In addition, FreePBX has removed the authentication type selector from the web interface. Administrators must now explicitly enable webserver authentication via command line, and a prominent security warning is displayed if it is used.
Security experts strongly recommend reverting to the default usermanager authentication and avoiding webserver authentication altogether, as it appears to rely on legacy code paths.
Those running FreePBX should review their systems for signs of compromise, including:
- Unexpected users in the ampusers database table
- Suspicious scheduled tasks in cron_jobs
- Unknown files or webshells under /var/www/html
If any of these indicators are present, administrators should assume compromise and initiate incident response procedures immediately.
VoIP and PBX systems are often overlooked in security programs, despite their deep integration into business operations. As attackers continue to target non-traditional IT infrastructure, keeping systems patched, minimizing exposed services, and auditing authentication configurations are essential.
Leave a Reply