FreePBX Fixes RCE Chains: SQLi, Upload, AUTHTYPE Bypass

FreePBX Fixes RCE Chains: SQLi, Upload, AUTHTYPE Bypass
December 15, 2025 at 12:00 AM

FreePBX fixed multiple high-severity flaws that can chain into remote code execution (RCE) under certain configurations. Discovered by Horizon3.ai and reported on September 15, 2025, the bugs span SQL injection, arbitrary file upload, and an AUTHTYPE-based authentication bypass.

Key vulnerabilities:

  • CVE-2025-61675 (CVSS 8.6): Multiple authenticated SQL injections across basestation, model, firmware, and custom extension endpoints. Eleven parameters allow read/write access to the backend database.
  • CVE-2025-61678 (CVSS 8.6): Authenticated arbitrary file upload via the firmware upload endpoint. With a valid PHPSESSID, attackers can upload a PHP web shell and execute commands to read sensitive files (e.g., /etc/passwd).
  • CVE-2025-66039 (CVSS 9.3): Authentication bypass when "Authorization Type" (AUTHTYPE) is set to "webserver," enabling login to the Administrator Control Panel via a forged Authorization header.

Exposure details:

  • The bypass is not exploitable in default installs. The "Authorization Type" option appears only when "Display Friendly Name," "Display Readonly Settings," and "Override Readonly Settings" are all set to "Yes."
  • If exposed, attackers can craft requests to skip authentication and insert a malicious user into the "ampusers" table, echoing CVE-2025-57819 observed in the wild in September 2025.
  • Researchers note these flaws are easy to exploit and can enable both authenticated and unauthenticated RCE paths, depending on the endpoint. Some routes require a valid username; others (like the file upload) may not. The "webserver" auth mode is considered legacy and risky.

Patches and versions:

  • CVE-2025-61675 and CVE-2025-61678: fixed in 16.0.92 and 17.0.6 (October 14, 2025).
  • CVE-2025-66039: fixed in 16.0.44 and 17.0.23 (December 9, 2025).
  • The option to choose an authentication provider was removed from Advanced Settings; set it via the command line with fwconsole.

Immediate actions for admins:

  • Update to the patched versions (or later) without delay.
  • Switch "Authorization Type" to "usermanager."
  • Set "Override Readonly Settings" to "No," apply the configuration, and reboot to drop any rogue sessions.
  • Avoid using the "webserver" AUTHTYPE; treat it as legacy.
  • If "webserver" AUTHTYPE was ever enabled, perform a full compromise assessment.
  • Heed the dashboard warning that "webserver" offers reduced security compared to "usermanager."

Bottom line:
FreePBX instances with non-default AUTHTYPE settings are at heightened risk of authentication bypass and RCE. Patch promptly, harden authentication, and review systems for signs of misuse.

Source: The Hacker News

Backā€¦