Authenticated Arbitrary File Upload Vulnerability in FreePBX Endpoint Manager
CVE-2025-61678

8.6HIGH

Key Information:

Vendor: Freepbx
Status: Security-reporting
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-61678?

The FreePBX Endpoint Manager module is afflicted by an authenticated arbitrary file upload vulnerability in specific versions. This issue exists within the fwbrand parameter, which allows unauthorized modifications to the file path. When exploited, this vulnerability can enable authenticated users to upload arbitrary files to locations controlled by attackers, posing a risk for potential remote code execution. Proper patching is essential; versions 16.0.92 for FreePBX 16 and 17.0.6 for FreePBX 17 have addressed this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

security-reporting < 16.0.92 < 16.0.92

security-reporting >= 17.0.0, < 17.0.6 < 17.0.0, 17.0.6

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Sep 29, 2025

JSON

Freepbx