FreePBX Vulnerabilities Allow RCE via SQL Injection, File Upload, and Auth Bypass

Critical FreePBX Vulnerabilities Disclosed

FreePBX recently addressed three significant security vulnerabilities – CVE-2025-61675, CVE-2025-61678, and CVE-2025-66039 – impacting versions 16 and 17 of the open-source PBX platform. These flaws, discovered by Horizon3.ai, include SQL injection, arbitrary file upload, and an authentication bypass, with potential for remote code execution (RCE).

While ideal security models assume robust input validation and access control, real-world systems often contain legacy code and misconfigurations that create exploitable weaknesses. The potential impact of successful exploitation ranges from data breaches to complete system compromise, costing organizations significant remediation expenses and reputational damage.

Key Insights

• CVE-2025-57819, 2025-09: A similar FreePBX flaw was actively exploited in the wild in September 2025.
• AUTHTYPE Configuration: The authentication bypass (CVE-2025-66039) is only exploitable when the “Authorization Type” is set to “webserver,” a non-default configuration.
• Mitigation Complexity: FreePBX recommends multiple steps to mitigate the auth bypass, including setting “Authorization Type” to “usermanager” and rebooting the system.

Practical Applications

• Managed Service Providers: MSPs utilizing FreePBX must promptly apply patches to prevent compromise of customer systems.
• Pitfall: Relying on legacy authentication methods like “webserver” introduces unnecessary risk and should be avoided.

References:

• https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html