CVE-2025-66039

CRITICAL

FreePBX firmware file upload

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-66039. PoCs published by cyberleelawat, BimBoxH4.

AI-analyzed exploit summary This repository provides Nuclei templates for detecting three FreePBX vulnerabilities (CVE-2025-66039, CVE-2025-61678, CVE-2025-61675) via version checks and non-invasive detection methods. It includes dorks for identifying vulnerable instances but does not contain exploit code.

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Exploits (2)

nomisec SCANNER 1 stars

by cyberleelawat · poc

https://github.com/cyberleelawat/FreePBX-Multiple-CVEs-2025

View Code ZIP pw:eip

This repository provides Nuclei templates for detecting three FreePBX vulnerabilities (CVE-2025-66039, CVE-2025-61678, CVE-2025-61675) via version checks and non-invasive detection methods. It includes dorks for identifying vulnerable instances but does not contain exploit code.

Classification

Scanner 90%

Attack Type

Info Leak | Auth Bypass | Sqli | File Upload

Complexity

Trivial

Reliability

Reliable

Target: FreePBX (versions < 16.0.92, < 17.0.6 for endpoint module; < 16.0.44, < 17.0.23 for framework module)

Auth required

Prerequisites: Access to FreePBX administration panel or version endpoint · Nuclei installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 1 stars

by BimBoxH4 · poc

https://github.com/BimBoxH4/CVE-2025-66039_CVE-2025-61675_CVE-2025-61678_reePBX

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting and exploiting multiple FreePBX vulnerabilities (CVE-2025-66039, CVE-2025-61675, CVE-2025-61678), including authentication bypass, SQL injection, and file upload RCE. The tool is designed for educational and authorized testing purposes.

Classification

Scanner 95%

Attack Type

Auth Bypass | Sqli | Rce

Complexity

Moderate

Reliability

Reliable

Target: FreePBX

No auth needed

Prerequisites: Network access to target FreePBX instance · Python 3.6+ environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mitigation, Vendor Advisory x_refsource_confirm

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698

Product x_refsource_misc

https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50

Not Applicable, Vendor Advisory x_refsource_misc

https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80

Scores

CVSS v3 9.8

EPSS 0.0298

EPSS Percentile 85.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-287

Status published

Products (1)

sangoma/freepbx < 16.0.44

Published Dec 09, 2025

Tracked Since Feb 18, 2026