Authenticated Arbitrary File Upload Vulnerability in FreePBX Endpoint Manager
CVE-2025-61678

8.6HIGH

Key Information:

Vendor: Freepbx
Status: Endpointman
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-61678?

The FreePBX Endpoint Manager module is afflicted by an authenticated arbitrary file upload vulnerability in specific versions. This issue exists within the fwbrand parameter, which allows unauthorized modifications to the file path. When exploited, this vulnerability can enable authenticated users to upload arbitrary files to locations controlled by attackers, posing a risk for potential remote code execution. Proper patching is essential; versions 16.0.92 for FreePBX 16 and 17.0.6 for FreePBX 17 have addressed this vulnerability.

Affected Version(s)

endpointman < 16.0.92 < 16.0.92

endpointman >= 17.0.0, < 17.0.6 < 17.0.0, 17.0.6

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

EPSS Score

20% chance of being exploited in the next 30 days.

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Sep 29, 2025

CVE-2025-61678 Data

JSON