Authentication Bypass in FreePBX Endpoint Manager by FreePBX
CVE-2025-66039

9.3CRITICAL

Key Information:

Vendor

Freepbx

Status
Security-reporting
Vendor
CVE Published:
9 December 2025

What is CVE-2025-66039?

The FreePBX Endpoint Manager is susceptible to an authentication bypass vulnerability when the authentication type is set to 'webserver.' This flaw allows an attacker to associate a session with a target user by supplying an arbitrary value in the Authorization header, circumventing the need for valid credentials. This critical issue has been addressed in versions 16.0.44 and 17.0.23, making it essential for users to update to these versions to ensure system security.

Affected Version(s)

security-reporting < 16.0.44 < 16.0.44

security-reporting >= 17.0.1, < 17.0.23 < 17.0.1, 17.0.23

References

https://github.com/FreePBX/security-reporting/security/ad...
x_refsource_CONFIRM
https://github.com/FreePBX/framework/commit/0422425315654...
x_refsource_MISC
https://www.freepbx.org/watch-what-we-do-with-security-fi...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66039 : Authentication Bypass in FreePBX Endpoint Manager by FreePBX