CVE-2025-61678

HIGH

FreePBX <16.0.92-17.0.6 - Authenticated File Upload

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-61678. PoCs published by cyberleelawat, BimBoxH4, 0xyngtg, including Metasploit module exploits/unix/http/freepbx_firmware_file_upload.

AI-analyzed exploit summary The repository contains Nuclei templates for detecting three FreePBX vulnerabilities (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039) by version checking and fingerprinting. It does not include exploit code but provides detection logic for vulnerable instances.

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

Exploits (4)

github SCANNER 1 stars

by cyberleelawat · poc

https://github.com/cyberleelawat/FreePBX-Multiple-CVEs-2025

View Code ZIP pw:eip

The repository contains Nuclei templates for detecting three FreePBX vulnerabilities (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039) by version checking and fingerprinting. It does not include exploit code but provides detection logic for vulnerable instances.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: FreePBX 16.x < 16.0.92, 17.x < 17.0.6 (CVE-2025-61675, CVE-2025-61678), FreePBX 16.x < 16.0.44, 17.x < 17.0.23 (CVE-2025-66039)

Auth required

Prerequisites: Network access to FreePBX admin interface · Valid credentials for authenticated checks

MITRE ATT&CK

T1595 - Active Scanning T1087.001 - Local Account

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github SCANNER 1 stars

by BimBoxH4 · pythonpoc

https://github.com/BimBoxH4/CVE-2025-66039_CVE-2025-61675_CVE-2025-61678_reePBX

View Code ZIP pw:eip

This repository contains a Python-based vulnerability scanner for FreePBX systems, targeting CVE-2025-66039 (authentication bypass), CVE-2025-61675 (SQL injection), and CVE-2025-61678 (file upload RCE). The tool performs detection and limited exploitation but does not include full exploit chains or payloads.

Classification

Scanner 95%

Attack Type

Auth Bypass | Sqli | Rce

Complexity

Moderate

Reliability

Reliable

Target: FreePBX

No auth needed

Prerequisites: Network access to target FreePBX instance · Python 3.6+ environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC

by 0xyngtg · pythonpoc

https://github.com/0xyngtg/FreePBX-CVE-2025-57819-CVE-2025-61678

View Code ZIP pw:eip

This repository contains a functional exploit chain for CVE-2025-57819 (stacked SQL injection) and CVE-2025-61678 (authenticated file upload) in FreePBX, leading to Remote Code Execution (RCE). The exploit first creates an admin account via SQLi, authenticates, and then uploads a PHP webshell for command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreePBX (specific version not specified)

Auth required

Prerequisites: Network access to FreePBX admin interface · Valid credentials or ability to exploit SQLi for account creation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 12, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Noah King, msutovsky-r7 · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/freepbx_firmware_file_upload.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2025-66039 (authentication bypass) and CVE-2025-61678 (unrestricted file upload with path traversal) in FreePBX to achieve unauthenticated remote code execution by uploading a PHP webshell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreePBX versions prior to 16.0.44, 16.0.92, 17.0.6, and 17.0.23

No auth needed

Prerequisites: Webserver Authorization Mode enabled in FreePBX · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-7p8x-8m3m-58j9

Scores

CVSS v4 8.6

EPSS 0.5016

EPSS Percentile 98.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

FreePBX/endpointman < 16.0.92

FreePBX/endpointman >= 17.0.0, < 17.0.6

Published Oct 14, 2025

Tracked Since Feb 18, 2026