Authentication Bypass in FreePBX Endpoint Manager by FreePBX
CVE-2025-66039

9.3CRITICAL

Key Information:

Vendor

Freepbx

Status
Security-reporting
Vendor
CVE Published:
9 December 2025

Badges

๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 3,570๐Ÿ‘พ Exploit Exists๐ŸŸฃ EPSS 31%๐Ÿ“ฐ News Worthy

What is CVE-2025-66039?

CVE-2025-66039 is a security vulnerability affecting the FreePBX Endpoint Manager, a module designed to facilitate the management of telephony endpoints in FreePBX systems. This vulnerability arises specifically when the authentication type is configured to "webserver." An attacker can exploit this flaw by providing an arbitrary value in the Authorization header, resulting in an authentication bypass where a session is wrongly associated with the targeted user, regardless of whether valid credentials are supplied. This unauthorized access could result in significant security risks for organizations relying on FreePBX for their communication needs, potentially leading to unauthorized changes to configuration settings, exposure of sensitive data, or manipulation of the telephony system.

Potential impact of CVE-2025-66039

  1. Unauthorized Access: Attackers could gain unauthorized access to user sessions, allowing them to manipulate telephony settings and potentially reroute calls or intercept communications without proper authorization.

  2. Data Exposure: The vulnerability could lead to the exposure of confidential information, including sensitive voice communications and configurations, which could be exploited for malicious purposes.

  3. System Compromise: If an attacker exploits this flaw, they may be able to compromise the overall integrity of the FreePBX system, leading to further attack vectors within the organizationโ€™s IT infrastructure, posing risks beyond just telephony systems.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

security-reporting < 16.0.44 < 16.0.44

security-reporting >= 17.0.1, < 17.0.23 < 17.0.1, 17.0.23

News Articles

favicon imageCyber Press

FreePBX Vulnerabilities Enable Authentication Bypass Leading to Remote Code Execution

The vulnerabilities chain together via an authentication bypass that circumvents web server authentication controls, enabling SQL injection and arbitrary file upload.

favicon imageSecNews.gr

FreePBX fixes critical vulnerabilities that allow RCE attack

FreePBX faces critical security vulnerabilities that allow remote code execution.

favicon imageThe Hacker News

FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

FreePBX patched 2025 flaws allowing SQL injection, file upload attacks, and an auth bypass only when webserver AUTHTYPE was enabled.

References

https://github.com/FreePBX/security-reporting/security/ad...
x_refsource_CONFIRM
https://github.com/FreePBX/framework/commit/0422425315654...
x_refsource_MISC
https://www.freepbx.org/watch-what-we-do-with-security-fi...
x_refsource_MISC

EPSS Score

31% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by cyberkendra.com

  • Vulnerability published

  • Vulnerability Reserved

JSON
.