Скачать или смотреть FreePBX Security Flaws: Critical Vulnerabilities Exposed

In this video, we delve into the critical security vulnerabilities recently disclosed in the open-source PBX platform FreePBX. Published on December 15, 2025, this report highlights significant flaws that could lead to remote code execution, authentication bypass, and unauthorized access to sensitive data. What you’ll learn: We will explore the nature of these vulnerabilities, their potential impact on users, and essential steps for mitigating risks.

Multiple vulnerabilities have been identified in FreePBX, a widely used private branch exchange software. The most alarming of these is an authentication bypass flaw that can be exploited under specific configurations, allowing unauthorized access to the system. Discovered by Horizon3.ai and reported to the maintainers on September 15, 2025, these vulnerabilities include SQL injection flaws and arbitrary file upload capabilities, which could enable attackers to execute malicious commands remotely.

The vulnerabilities are categorized as follows:
CVE-2025-61675 (CVSS score: 8.6): This flaw affects four unique endpoints, allowing attackers to perform SQL injection and gain unauthorized access to the database.
CVE-2025-61678 (CVSS score: 8.6): This vulnerability permits the upload of a PHP web shell via the firmware upload endpoint, enabling attackers to execute arbitrary commands.
CVE-2025-66039 (CVSS score: 9.3): This critical flaw allows attackers to bypass authentication when the Authorization Type is set to 'webserver,' potentially leading to unauthorized control over the Administrator Control Panel.

It's important to note that the authentication bypass vulnerability is not present in the default configuration of FreePBX, but it can be exploited if specific advanced settings are enabled. This highlights the importance of maintaining secure configurations.

The FreePBX team has addressed these vulnerabilities in recent software updates, with fixes rolled out on October 14 and December 9, 2025. Users are encouraged to update to the latest versions and follow recommended practices to enhance their security posture.

For organizations using FreePBX, it is crucial to review your system configurations and ensure that the 'Authorization Type' is set to 'usermanager' and that 'Override Readonly Settings' is disabled. Additionally, users should conduct thorough system analyses for any signs of compromise if the vulnerable configurations were inadvertently enabled.

In conclusion, the vulnerabilities in FreePBX serve as a reminder of the importance of cybersecurity hygiene. Regular updates, secure configurations, and proactive monitoring are essential to safeguarding systems against potential threats. Stay informed and protect your systems against these vulnerabilities.