UPDATED: CVE-2025-57819, CVE-2025-66039, CVE-2025-61675, CVE-2025-61678

Sangoma FreePBX Authentication Bypass and Remote Code Execution Vulnerabilities

Updated Research: CVE-2025-57819, CVE-2025-66039, CVE-2025-61675, and CVE-2025-61678, which together describe FreePBX authentication bypasses, SQL injection, arbitrary file upload, and chained attack paths leading to remote code execution.

What it is and why it matters

CVE-2025-57819 is an authentication bypass in FreePBX that is exploitable in the default configuration. An attacker can reach SQL injection flows and achieve remote code execution by writing OS commands into the MySQL cron_jobs table, creating administrative users in the ampusers table, or exfiltrating sensitive PBX data.

This vulnerability was exploited in the wild, added to CISA KEV, and confirmed within Horizon3.ai customer environments — prompting our original Rapid Response effort.

While reverse-engineering CVE-2025-57819, Horizon3.ai researchers identified three additional, previously unknown vulnerabilities. These were unrelated to CVE-2025-57819 but highly impactful when chained together. They have now been assigned CVEs and have reached the end of their coordinated disclosure period.

CVE-2025-66039 — Authentication Bypass (webserver auth type)

CVSS 9.3 (Critical)

When FreePBX is configured to use the webserver authentication type, it trusts any HTTP Basic Authorization header that contains a username — the password field is never validated. This allows attackers to reach privileged administrative endpoints using only a known or guessed username.

  • This configuration is not the default.
  • The default authentication mechanism is usermanager.

CVE-2025-61675 — Multiple SQL Injections (Endpoint Manager)

CVSS 8.3 (High)

Four Endpoint Manager workflows — Basestation, Firmware, Model Basefile, and Custom Extensions — contain 11 SQL injection points that allow database read/write access.

  • Normally authentication is required.
  • When chained with CVE-2025-66039 (webserver auth bypass), these SQLi endpoints become reachable without credentials, as long as a known username (e.g., admin) is supplied.

CVE-2025-61678 — Arbitrary File Upload → RCE

CVSS 8.3 (High)

The firmware upload mechanism in Endpoint Manager allows:

  • Attacker-controlled file paths
  • Attacker-controlled file contents
  • Upload of arbitrary file types (including PHP webshells) to /tftpboot/customfw/

Under the webserver authentication type, attackers need only:

  • A valid PHPSESSID, and
  • At least one firmware file already present

This makes remote code execution straightforward.

Chained Attack Path

In practice, these vulnerabilities chain as:

Authentication Bypass (CVE-2025-66039) → SQL Injection (CVE-2025-61675) → Arbitrary File Upload (CVE-2025-61678) → OS Command Execution

Horizon3.ai confirmed this multi-stage path during internal analysis.

NodeZero® Offensive Security Platform — Rapid Response

Horizon3.ai released a Rapid Response assessment for CVE-2025-57819 in August 2025, after active exploitation was detected and the vulnerability was added to CISA KEV.
On September 10, 2025, exploit coverage for CVE-2025-57819 was added to NodeZero.

Once publicly disclosed, the additional FreePBX 0-days discovered by Noah King were also added to the same Rapid Response test.

The updated Rapid Response test now:

1. Validates exploitability for all four CVEs

  • CVE-2025-57819
  • CVE-2025-66039
  • CVE-2025-61675
  • CVE-2025-61678

2. Exercises the chained exploitation paths (H3 Weaknesses)

  • H3-2025-0055 — Authentication Bypass → File Upload RCE
     (CVE-2025-66039 + CVE-2025-61678)
  • H3-2025-0056 — Authentication Bypass → SQL Injection
     (CVE-2025-66039 + CVE-2025-61675)

3. Uses safe-for-production exploitation attempts

These mimic real adversary behavior but stop short of causing operational damage, allowing customers to confirm exploitability safely.

If you are a Rapid Response customer

  • Run the updated Rapid Response test against any environment where FreePBX is deployed, especially if the Endpoint Manager module is enabled or if non-default authentication settings are used.
  • After patching, re-run the test to verify that all four CVEs and both chained weaknesses are no longer exploitable.

Horizon3.ai has assessed customer environments and confirmed that no Rapid Response customers were exposed to the newly discovered 0-days, largely because the insecure webserver authentication type is not widely used.

Indicators of compromise

For the latest set of vulns, focus your investigation on:

  • Unexpected users in ampusers — especially new administrative entries
  • Suspicious cron jobs in cron_jobs — attackers used this path in CVE-2025-57819 exploitation
  • Unknown or suspicious PHP files under /var/www/html — common webshell upload location resulting from CVE-2025-61678 exploitation

If any of these indicators appear, treat the host as potentially fully compromised and investigate lateral movement.

Affected versions & patch

CVE-2025-57819

  • Affects FreePBX in its default configuration
  • Vendor patches available in 15.0.66, 16.0.89, 17.0.3

CVE-2025-66039 — Authentication Bypass

  • Not exploitable unless FreePBX is configured with AUTHTYPE webserver
  • Authentication-type mitigations released in FreePBX 16.0.42 and 17.0.22
  • FreePBX UI now hides the auth-type selector; enabling webserver auth requires manual fwconsole configuration

CVE-2025-61675 — SQL Injections

  • Fixed in FreePBX 16.0.92 and 17.0.6

CVE-2025-61678 — File Upload / RCE

  • Fixed in FreePBX 16.0.92 and 17.0.6

Recommended actions

  • Upgrade to 16.0.92+ or 17.0.6+ to receive SQLi and file-upload fixes
  • Ensure authentication-type changes in 16.0.42 / 17.0.22 are applied
  • Avoid webserver authentication unless absolutely necessary
  • After patching, re-run the NodeZero Rapid Response test to confirm remediation

Timeline

  • Aug 26, 2025 – Vendor advisory for CVE-2025-57819 published
  • Aug 28, 2025 – Horizon3.ai begins Rapid Response assessment
  • Aug 29, 2025 – CVE-2025-57819 added to CISA KEV
  • Sep 10, 2025 – Exploit coverage for CVE-2025-57819 added to NodeZero
  • Sep 15, 2025 – Horizon3.ai discloses newly discovered 0-days to Sangoma
  • Oct 14, 2025 – Vendor advisories and patches for CVE-2025-61675 and CVE-2025-61678
  • Nov 25, 2025 – CVE-2025-66039 assigned
  • Dec 9, 2025 – Vendor advisory for CVE-2025-66039
  • Dec. 10, 2025 – Rapid Response test updated with the new publicly disclosed vulns 
  • Dec 11, 2025 – Horizon3.ai publishes research confirming full coverage for CVE-2025-66039, CVE-2025-61675, and CVE-2025-61678

References

🔗 Bleeping Computer Article

🔗 FreePBX Community Advisory

🔗 GitHub Advisory

🔗 NVD Listing – CVE-2025-57819

🔗 NVD Listing – CVE-2025-66039

🔗 NVD Listing – CVE-2025-61675

🔗 NVD Listing – CVE-2025-61678

🔗 Horizon3.ai Research Blog – FreePBX 0-Day Findings (Noah King)

🔗 CISA Known Exploited Vulnerabilities (KEV) Catalog
(CVE-2025-57819 added August 29, 2025.)

Rapid Response N-Day Testing

Run the Test Now

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By