Executive Summary

A series of critical vulnerabilities have been identified and patched in FreePBX, a widely deployed open-source PBX platform integral to many VoIP infrastructures. The vulnerabilities—CVE-2025-66039 (authentication bypass via webserver AUTHTYPE), CVE-2025-61675 (multiple SQL injection flaws in the Endpoint Management module), and CVE-2025-61678 (arbitrary file upload enabling remote code execution)—collectively allow unauthenticated attackers to gain administrative access, manipulate the backend database, and execute arbitrary code on the underlying server. These flaws are being actively exploited in the wild, with public proof-of-concept code and automated attack campaigns observed. The vulnerabilities are now listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog, underscoring their severity and the urgency of remediation. Organizations running affected versions of FreePBX are at immediate risk of compromise, data exfiltration, and lateral movement within their networks. Immediate patching and forensic review are strongly recommended.

Threat Actor Profile

As of the latest public reporting, there is no direct attribution of these FreePBX vulnerabilities to specific Advanced Persistent Threat (APT) groups. However, the attack techniques observed—such as exploiting public-facing applications, leveraging SQL injection for privilege escalation, and deploying webshells for persistent access—are consistent with the tactics, techniques, and procedures (TTPs) used by ransomware operators and initial access brokers. These actors often exploit newly disclosed vulnerabilities in widely deployed software to gain a foothold in target networks, which they may then monetize directly or sell to other threat actors.

The lack of specific APT attribution does not diminish the risk; rather, it highlights the broad appeal of these vulnerabilities to a wide range of threat actors, from financially motivated cybercriminals to state-sponsored groups. The rapid weaponization and global scanning activity suggest that any unpatched FreePBX instance is a high-value target.

Technical Analysis of Malware/TTPs

The vulnerabilities in FreePBX are both severe and easily exploitable, especially when chained together. The technical details are as follows:

• CVE-2025-66039 (Authentication Bypass): When FreePBX is configured to use the "webserver" authentication type, the application naively trusts the HTTP Authorization header, failing to properly validate its contents. An attacker can simply craft a request with any Authorization header (for example, Authorization: Basic YWRtaW46YWRtaW4= which decodes to admin:admin), and the application will grant access to administrative endpoints. This bypass is not limited to a specific username or password, making it trivial for attackers to gain privileged access without valid credentials.

• CVE-2025-61675 (SQL Injection): A set of SQL injection flaws in the Endpoint Management module. Parameters such as name, brand, template, ac, model, and id are not properly sanitized, allowing attackers to inject arbitrary SQL statements. This enables a range of attacks, from reading and modifying database contents to creating new administrative users or injecting operating system commands via the database (for example, by inserting malicious entries into the cron_jobs table). When combined with the authentication bypass, these SQL injection flaws can be exploited without any valid credentials, dramatically increasing the attack surface.

• CVE-2025-61678 (Arbitrary File Upload): An arbitrary file upload flaw in the firmware upload endpoint. The endpoint fails to restrict file types and allows path traversal, enabling attackers to upload malicious PHP files (webshells) directly to the web root. For example, by submitting a multipart form with fwbrand=../../../var/www/html and a file named webshell.php, an attacker can place a webshell in a location accessible via the web server. Once uploaded, the attacker can access the webshell and execute arbitrary commands as the web server user, achieving full remote code execution.

The exploitation chain is straightforward: an attacker first bypasses authentication using the AUTHTYPE flaw, then leverages SQL injection to escalate privileges or manipulate the system, and finally uploads a webshell to gain persistent, interactive access to the server. The impact is total system compromise, including the ability to exfiltrate sensitive data, disrupt telephony services, and use the compromised PBX as a foothold for further attacks within the organization.

Exploitation in the Wild

There is clear evidence that these vulnerabilities are being exploited in the wild. Security researchers and threat intelligence teams have observed mass scanning and automated exploitation attempts targeting FreePBX instances exposed to the internet. Public proof-of-concept code and exploit scripts are widely available on platforms such as GitHub and various security forums, lowering the barrier to entry for both sophisticated and opportunistic attackers.

The vulnerabilities have been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog, which is a strong indicator of active exploitation and significant risk to critical infrastructure. Reports from organizations such as Horizon3.ai and CyOps confirm that attackers are leveraging these flaws to gain initial access, establish persistence, and move laterally within victim environments.

Indicators of compromise include the presence of unauthorized administrative users in the ampusers table, unexpected cron jobs in the cron_jobs table, webshells or suspicious files in directories such as /var/www/html/ and /tftpboot/customfw/, and unusual outbound network connections originating from the PBX server. Organizations should be vigilant for these signs and conduct thorough forensic analysis if compromise is suspected.

Victimology and Targeting

The vulnerabilities are being exploited globally, with no sector or country-specific targeting reported in public sources. Any organization running an unpatched version of FreePBX is at risk, regardless of size or industry. The widespread deployment of FreePBX in both enterprise and small business environments increases the potential impact of these vulnerabilities.

Mitigation and Countermeasures

The primary and most effective mitigation is to upgrade FreePBX to the latest patched versions: 16.0.92 or later for the 16.x branch, and 17.0.22 or later for the 17.x branch. Patches comprehensively address the authentication bypass, SQL injection, and file upload vulnerabilities.

In addition to patching, organizations should audit their FreePBX systems for indicators of compromise. This includes reviewing the ampusers table for unauthorized users, inspecting the cron_jobs table for suspicious entries, and scanning the filesystem for unexpected files in /var/www/html/ and /tftpboot/customfw/. Network monitoring should be employed to detect unusual outbound connections that may indicate data exfiltration or command-and-control activity.

It is strongly recommended to avoid using the "webserver" authentication type unless absolutely necessary, and only with additional compensating controls such as IP whitelisting, strong network segmentation, and multi-factor authentication. Access to the FreePBX administrative interface should be restricted to trusted networks, and exposed management interfaces should be protected by VPN or other secure access mechanisms.

Regularly review and harden the configuration of FreePBX and its underlying operating system, disable unused modules, and ensure that all third-party add-ons are up to date and sourced from reputable vendors. Implement robust logging and alerting to detect anomalous activity in real time.

References

• Horizon3.ai: The FreePBX Rabbit Hole: CVE-2025-66039 and others (https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/)

• FreePBX Security Advisories (https://github.com/FreePBX/security-advisories)

• CISA KEV Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

• Reddit: FreePBX Exposes Critical Vulnerabilities (https://www.reddit.com/r/pwnhub/comments/1pne393/freepbx_exposes_critical_vulnerabilities_rce/)

• CyOps Analysis: FreePBX Critical Vulnerability (https://www.cynet.com/blog/cyops-analysis-freepbx-critical-vulnerability/)

About Rescana

At Rescana, we understand the critical importance of proactive risk management in today’s rapidly evolving threat landscape. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. While this advisory focuses on the latest FreePBX vulnerabilities, our platform is designed to help you identify and address a wide range of security exposures before they can be exploited. If you have any questions about this advisory or need assistance with your cybersecurity program, we are here to help. Please contact us at ops@rescana.com.