CVE-2025-66039 is an authentication bypass vulnerability in the FreePBX Endpoint Manager module. The issue occurs when the Endpoint Manager authentication type is configured as "webserver." In this mode, supplying an Authorization header with an arbitrary value can cause the application to associate a session with a target user even though no valid credentials were provided. As a result, an unauthenticated remote attacker can bypass the intended login process and access protected functionality as another user, including administrative users. The flaw is remotely exploitable and has been described as allowing forged Basic Auth headers to reach the administrator control panel. The issue was fixed in FreePBX Endpoint Manager versions 16.0.44 and 17.0.23.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
This repository is a Python-based security assessment and exploitation tool targeting FreePBX systems vulnerable to three 2025 CVEs: CVE-2025-66039 (authentication bypass), CVE-2025-61675 (authenticated SQL injection), and CVE-2025-61678 (authenticated file upload RCE). The main script, 'exploit.py', is a multi-threaded scanner that automates the process of detecting and exploiting these vulnerabilities. It supports scanning single or multiple targets, provides detailed reporting, and can operate in different modes (all, upload, sql, auth). The tool attempts to extract PHPSESSID cookies for session hijacking, upload a malicious PHP file for remote code execution, and exploit SQL injection vulnerabilities to extract sensitive data. The endpoints targeted are typical FreePBX admin URLs, such as '/admin/config.php' for session handling and '/admin/ajax.php' for file upload and SQLi. The repository includes a README with detailed usage instructions and a requirements.txt for dependencies. The exploit is operational, providing real exploitation capabilities, not just detection.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
37 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An authentication bypass vulnerability in FreePBX that can be triggered via a forged Authorization header.
A referenced FreePBX authentication-bypass vulnerability in 'webserver' auth mode that could enable PBX takeover; no additional details are provided in the main content.
An authentication bypass vulnerability in FreePBX used as the initial step in an exploit chain to move from unauthenticated access toward full compromise.
An authentication bypass in FreePBX that allows unauthenticated interaction with the application, used as the initial step in exploit chains leading to further compromise.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.