CVE-2025-61675

HIGH

FreePBX endpoint SQLi to RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-61675. PoCs published by rxerium, cyberleelawat, BimBoxH4, including Metasploit module auxiliary/gather/freepbx_custom_extension_injection.

AI-analyzed exploit summary This repository provides Nuclei templates for detecting three FreePBX vulnerabilities (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039) by version checking without exploitation. It includes non-invasive detection methods and usage instructions.

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

Exploits (5)

nomisec SCANNER 47 stars
by rxerium · poc
https://github.com/rxerium/FreePBX-Vulns-December-25

This repository provides Nuclei templates for detecting three FreePBX vulnerabilities (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039) by version checking without exploitation. It includes non-invasive detection methods and usage instructions.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: FreePBX (versions < 16.0.92, < 17.0.6 for endpoint module; < 16.0.44, < 17.0.23 for framework module)
No auth needed
Prerequisites: Access to FreePBX administration panel or version endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github SCANNER 1 stars
by cyberleelawat · poc
https://github.com/cyberleelawat/FreePBX-Multiple-CVEs-2025

The repository contains Nuclei templates for detecting three FreePBX vulnerabilities (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039) by version checking and fingerprinting. It does not include exploit code but provides detection logic for vulnerable instances.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 16.0.0-16.0.91, 17.0.0-17.0.5 (CVE-2025-61675, CVE-2025-61678), FreePBX 16.0.0-16.0.43, 17.0.0-17.0.22 (CVE-2025-66039)
No auth needed
Prerequisites: Network access to FreePBX admin interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github SCANNER 1 stars
by BimBoxH4 · pythonpoc
https://github.com/BimBoxH4/CVE-2025-66039_CVE-2025-61675_CVE-2025-61678_reePBX

This repository contains a Python-based vulnerability scanner for FreePBX systems, targeting CVE-2025-66039 (authentication bypass), CVE-2025-61675 (SQL injection), and CVE-2025-61678 (file upload RCE). The tool performs detection and limited exploitation but does not include full functional exploit code for all vulnerabilities.

Classification
Scanner 95%
Attack Type
Auth Bypass | Sqli | Rce
Complexity
Moderate
Reliability
Reliable
Target: FreePBX
No auth needed
Prerequisites: Network access to target FreePBX instance · Python 3.6+ environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC
by Noah King, msutovsky-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/freepbx_custom_extension_injection.rb

This Metasploit module exploits CVE-2025-61675, a SQL injection vulnerability in FreePBX, chained with CVE-2025-66039 (authentication bypass) to create an administrative user. It leverages the custom extension component to inject SQL payloads and verify the creation of a new admin account.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: FreePBX versions prior to 16.0.44, 16.0.92, 17.0.23, and 17.0.6
No auth needed
Prerequisites: Network access to the FreePBX admin interface · FreePBX using Webserver Authorization Mode
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Noah King, msutovsky-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/freepbx_custom_extension_rce.rb

This Metasploit module exploits CVE-2025-61675, a SQL injection vulnerability in FreePBX's custom extension component, chained with an authentication bypass (CVE-2025-66039) to achieve unauthenticated remote code execution by injecting a malicious cron job into the database.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreePBX versions before 16.0.92 and 17.0.6
No auth needed
Prerequisites: Network access to the FreePBX web interface · FreePBX configured with Webserver Authorization Mode
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v4 8.6
EPSS 0.3896
EPSS Percentile 98.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
FreePBX/endpoint < 16.0.92
FreePBX/endpoint >= 17.0.0, < 17.0.6
Published Oct 14, 2025
Tracked Since Feb 18, 2026