CVE-2025-61675 is an authenticated SQL injection vulnerability in the FreePBX Endpoint Manager module. In FreePBX 16 prior to 16.0.92 and FreePBX 17 prior to 17.0.6, multiple parameters in the basestation, model, firmware, and custom extension configuration functionality are vulnerable to improper neutralization of SQL input. The issue affects multiple endpoints and parameters within Endpoint Manager. Exploitation requires authentication with a known username according to the vendor description; additional reporting indicates the flaw can also be chained with CVE-2025-66039, an authentication bypass affecting deployments using webserver authorization mode, to remove the authentication prerequisite. Successful exploitation allows execution of arbitrary SQL queries against the FreePBX database. Reported post-exploitation uses include reading and modifying database contents, inserting unauthorized administrative users, and in exploit chains, inserting cron job records to achieve operating-system-level code execution.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
This repository is a Python-based security assessment and exploitation tool targeting FreePBX systems vulnerable to three 2025 CVEs: CVE-2025-66039 (authentication bypass), CVE-2025-61675 (authenticated SQL injection), and CVE-2025-61678 (authenticated file upload RCE). The main script, 'exploit.py', is a multi-threaded scanner that automates the process of detecting and exploiting these vulnerabilities. It supports scanning single or multiple targets, provides detailed reporting, and can operate in different modes (all, upload, sql, auth). The tool attempts to extract PHPSESSID cookies for session hijacking, upload a malicious PHP file for remote code execution, and exploit SQL injection vulnerabilities to extract sensitive data. The endpoints targeted are typical FreePBX admin URLs, such as '/admin/config.php' for session handling and '/admin/ajax.php' for file upload and SQLi. The repository includes a README with detailed usage instructions and a requirements.txt for dependencies. The exploit is operational, providing real exploitation capabilities, not just detection.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A SQL injection vulnerability in FreePBX that can be chained post-authentication-bypass to achieve remote code execution (e.g., by inserting a cron job) or to create a rogue administrator account.
A SQL injection vulnerability in FreePBX that can be chained after authentication bypass to manipulate the database (e.g., add cron jobs or create admin users), enabling privilege escalation and/or remote code execution.
Multiple SQL injection vulnerabilities in FreePBX, specifically in the custom extension component, allowing attackers to create fake users and gain administrative access.
Multiple SQL injection vulnerabilities in FreePBX, specifically in the custom extension component, allowing attackers to create fake users and gain administrative access.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.