Authenticated SQL Injection Vulnerability in FreePBX Endpoint Manager Module

CVE-2025-61675

What is CVE-2025-61675?

CVE-2025-61675 is a serious vulnerability identified in the Endpoint Manager module of the FreePBX open-source telephony software. FreePBX is widely used for managing and configuring VoIP systems, enabling organizations to manage their telecommunication infrastructure effectively. This specific vulnerability arises from an authenticated SQL injection flaw present in versions prior to 16.0.92 for FreePBX 16 and versions before 17.0.6 for FreePBX 17. It allows authenticated users with valid usernames to exploit various parameters related to basestations, models, firmware, and custom extension configurations. Successful exploitation permits these users to execute arbitrary SQL queries on the database, which could have severe consequences such as unauthorized access to sensitive data or alteration of critical database information, undermining the integrity and confidentiality of the telecommunication system.

Potential impact of CVE-2025-61675

1. Data Breaches: The vulnerability could lead to unauthorized exposure of sensitive data stored in the database, enabling attackers to access user information, call logs, and other confidential records.

2. Database Integrity Compromise: Successful exploitation can allow attackers to modify or delete database entries, potentially leading to data manipulation, loss of crucial telecommunication data, and operational disruptions.

3. Increased Attack Surface: As the vulnerability requires only authenticated access, it increases the potential for insider threats or exploitation by users with legitimate credentials, complicating the security landscape for organizations using FreePBX.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References