Authenticated Arbitrary File Upload Vulnerability in FreePBX Endpoint Manager
CVE-2025-61678

8.6HIGH

Key Information:

Vendor: Freepbx
Status: Security-reporting
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-61678?

The FreePBX Endpoint Manager module is afflicted by an authenticated arbitrary file upload vulnerability in specific versions. This issue exists within the fwbrand parameter, which allows unauthorized modifications to the file path. When exploited, this vulnerability can enable authenticated users to upload arbitrary files to locations controlled by attackers, posing a risk for potential remote code execution. Proper patching is essential; versions 16.0.92 for FreePBX 16 and 17.0.6 for FreePBX 17 have addressed this vulnerability.

Affected Version(s)

security-reporting < 16.0.92 < 16.0.92

security-reporting >= 17.0.0, < 17.0.6 < 17.0.0, 17.0.6

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Sep 29, 2025

JSON

Freepbx

What is CVE-2025-61678?

Affected Version(s)

References

CVSS V4

Timeline