CVE-2025-61678 affects the FreePBX Endpoint Manager module. In versions prior to 16.0.92 for FreePBX 16 and prior to 17.0.6 for FreePBX 17, the firmware upload functionality contains an authenticated arbitrary file upload vulnerability. The issue affects handling of the fwbrand parameter, which can be manipulated to alter the destination file path. This effectively enables unrestricted upload of attacker-controlled files to attacker-chosen locations on the server. The provided context indicates this can be used to place a PHP webshell in a web-accessible directory, resulting in server-side code execution. The vulnerability is described as authenticated in normal conditions, requiring a known username, but it can also be chained with CVE-2025-66039, an authentication bypass in certain FreePBX configurations, to achieve unauthenticated exploitation.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
This repository is a compact two-file exploit PoC targeting FreePBX by chaining two vulnerabilities: CVE-2025-57819 for stacked SQL injection and CVE-2025-61678 for authenticated arbitrary file upload leading to RCE. The repository contains a short README describing the chain and a single Python exploit script as the operational entry point. The exploit flow in exploit.py is straightforward and fully weaponized enough for practical use, though payloads and target values are hardcoded. First, the SQLi class abuses the /admin/ajax.php Endpoint Manager model handler by sending crafted GET parameters with a malicious brand value. The injected SQL first deletes any existing ampusers row for the chosen username, then inserts a new administrator account into the asterisk.ampusers table with a SHA1 password hash and wildcard sections value. This gives the attacker valid FreePBX admin credentials. Next, authenticate() uses requests.Session to interact with /admin/config.php and /admin/ajax.php?module=userman&command=checkPasswordReminder, then posts the injected credentials to the admin interface to establish an authenticated session. Finally, the RCE class abuses the authenticated upload endpoint /admin/ajax.php?module=endpoint&command=upload_cust_fw. It submits multipart form data with a traversal-style fwbrand value ../../../var/www/html/shell_dir_1 so the uploaded file lands in a web-accessible directory. The uploaded payload is a minimal PHP webshell using system($_REQUEST[md5('cmd')]). The script then computes the expected shell URL and enters an interactive loop, sending attacker-supplied commands to the webshell and printing command output. Overall capability: unauthenticated-to-authenticated privilege creation via SQL injection, followed by authenticated arbitrary file upload and interactive remote command execution on the FreePBX host. The code is a real exploit, not a detector, and is best classified as OPERATIONAL because it includes a working hardcoded payload and exploitation chain but is not part of a larger reusable framework.
This repository is a compact two-file exploit PoC for chaining two FreePBX vulnerabilities into unauthenticated remote code execution. The structure is simple: README.md documents the attack chain, affected versions, and usage examples; exploit.py contains the full exploit logic and is the sole executable entry point. The Python exploit targets FreePBX 16 and automates a four-stage attack. First, it sends unauthenticated GET requests to /admin/ajax.php with crafted parameters module=FreePBX\modules\endpoint\ajax, command=model, template=x, model=model, and a malicious brand value containing stacked SQL. That SQL deletes any prior matching username and inserts a new administrator directly into the asterisk.ampusers table with wildcard section access. Second, it authenticates to /admin/config.php using the newly created credentials. Third, it abuses the authenticated Endpoint Manager firmware upload handler at /admin/ajax.php?module=endpoint&command=upload_cust_fw by supplying fwbrand=../../../var/www/html/<random_dir>, causing path traversal out of the firmware directory and writing a PHP webshell into the web root. The exploit sets a Referer header to /admin/config.php?display=epm_advanced to satisfy request checks. Fourth, it verifies code execution by calling the uploaded shell with a cmd parameter and either runs a single command or launches one of several reverse shell payloads. Main capabilities include: unauthenticated SQL injection, creation of a persistent admin account, authenticated arbitrary file upload with traversal, deployment of a PHP command webshell, arbitrary command execution over HTTP, and reverse shell callback to an attacker host. The reverse shell payloads include bash /dev/tcp, mkfifo+nc, and python3 socket/pty variants. The exploit uses requests for HTTP session handling and optionally pwntools to start a listener and provide an interactive shell. There are no hardcoded victim domains or IPs; the target host and optional callback host/port are supplied at runtime. Fingerprintable target paths and artifacts include /admin/ajax.php, /admin/config.php, /admin/ajax.php?module=endpoint&command=upload_cust_fw, traversal to ../../../var/www/html/<dir>, the dropped .php webshell path, the asterisk.ampusers database table, and /tmp/f used by one shell variant. Overall, this is a real operational exploit PoC rather than a detector: it performs end-to-end compromise of a vulnerable FreePBX instance and provides immediate post-exploitation command execution.
This repository is a Python-based security assessment and exploitation tool targeting FreePBX systems vulnerable to three 2025 CVEs: CVE-2025-66039 (authentication bypass), CVE-2025-61675 (authenticated SQL injection), and CVE-2025-61678 (authenticated file upload RCE). The main script, 'exploit.py', is a multi-threaded scanner that automates the process of detecting and exploiting these vulnerabilities. It supports scanning single or multiple targets, provides detailed reporting, and can operate in different modes (all, upload, sql, auth). The tool attempts to extract PHPSESSID cookies for session hijacking, upload a malicious PHP file for remote code execution, and exploit SQL injection vulnerabilities to extract sensitive data. The endpoints targeted are typical FreePBX admin URLs, such as '/admin/config.php' for session handling and '/admin/ajax.php' for file upload and SQLi. The repository includes a README with detailed usage instructions and a requirements.txt for dependencies. The exploit is operational, providing real exploitation capabilities, not just detection.
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An unrestricted file upload vulnerability in FreePBX (firmware upload function) that can be chained after authentication bypass to upload a webshell and gain remote code execution.
An unrestricted file upload vulnerability in FreePBX (firmware upload path) that can be chained after authentication bypass to upload a webshell and achieve remote code execution.
A vulnerability in FreePBX allowing unrestricted file uploads via firmware upload, including path traversal, leading to unauthenticated remote code execution.
A vulnerability in FreePBX allowing unrestricted file uploads via firmware upload, including path traversal, leading to unauthenticated remote code execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.