Authenticated SQL Injection Vulnerability in FreePBX Endpoint Manager Module
CVE-2025-61675

8.6HIGH

Key Information:

Vendor: Freepbx
Status: Security-reporting
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-61675?

The FreePBX Endpoint Manager module has a vulnerability due to authenticated SQL injection flaws present in various areas such as basestation, model, firmware, and custom extension configurations. An attacker with valid credentials can exploit these vulnerabilities to execute arbitrary SQL queries against the database, leading to potential unauthorized access to sensitive data or alterations within the database. This vulnerability has been addressed in the latest updates, with patches provided in versions 16.0.92 for FreePBX 16 and 17.0.6 for FreePBX 17, thereby mitigating the associated risks.

Affected Version(s)

security-reporting < 16.0.92 < 16.0.92

security-reporting >= 17.0.0, < 17.0.6 < 17.0.0, 17.0.6

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Sep 29, 2025

JSON

Freepbx

What is CVE-2025-61675?

Affected Version(s)

References

CVSS V4

Timeline