FreePBX, the open-source IP PBX platform, has patched several critical vulnerabilities in its Endpoint Manager module that could allow attackers to bypass authentication and achieve remote code execution. Researchers from Horizon3.ai identified three high-severity flaws: CVE-2025-66039 (authentication bypass via forged Basic Auth headers when 'webserver' authorization is enabled), CVE-2025-61675 (multiple SQL injection vulnerabilities across several endpoints), and CVE-2025-61678 (arbitrary file upload enabling PHP webshell deployment). These vulnerabilities, when chained, allow unauthenticated attackers to gain full control over affected FreePBX instances, posing a significant risk to business communications infrastructure.
The authentication bypass is not present in the default configuration but becomes exploitable if certain advanced settings are enabled. Attackers can exploit these flaws to access protected endpoints, manipulate the underlying SQL database, and upload malicious files for command execution. The vulnerabilities were responsibly disclosed to FreePBX maintainers, and patches have been released. Organizations using FreePBX, especially those with non-default authentication settings, are urged to update immediately to mitigate the risk of compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
FreePBX advised administrators to use 'usermanager' authentication, disable override of readonly settings, reboot after changes, and treat 'webserver' authentication as insecure. The company also urged users who had enabled the vulnerable 'webserver' AUTHTYPE to audit systems for signs of compromise.
FreePBX released fixes for the disclosed vulnerabilities in supported branches, including versions 16.0.92/17.0.6 and 16.0.44/17.0.23. As part of the mitigation, the authentication provider selection was removed from the UI and administrators were directed to use safer configuration methods.
Horizon3.ai identified three critical vulnerabilities in FreePBX's Endpoint Manager module: an authentication bypass (CVE-2025-66039), a SQL injection flaw (CVE-2025-61675), and an arbitrary file upload flaw (CVE-2025-61678). The issues could be chained or abused to achieve unauthenticated remote code execution, especially in vulnerable configurations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.