Critical security vulnerabilities, including a severe authentication bypass flaw, have been discovered and publicly disclosed in FreePBX, the widely-used open-source private branch exchange (PBX) platform. These vulnerabilities, identified by researchers at Horizon3.ai, could allow attackers to gain unauthorized access and execute malicious code on vulnerable systems. The disclosures highlight ongoing challenges in securing complex software infrastructure and the importance of timely patching.
The security flaws were officially reported to FreePBX maintainers on September 15, 2025. Horizon3.ai detailed three distinct Common Vulnerabilities and Exposures (CVEs) affecting the platform: CVE-2025-61675 and CVE-2025-61678, both with a CVSS score of 8.6, and the critical CVE-2025-66039, awarded a CVSS score of 9.3 for its severity. These vulnerabilities pose a significant risk to organizations relying on FreePBX for their communication infrastructure.
Understanding the FreePBX Vulnerabilities
Among the disclosed issues, CVE-2025-61675 represents a collection of authenticated SQL injection vulnerabilities targeting four specific endpoints: basestation, model, firmware, and custom extension. Impacting 11 different parameters, these flaws grant attackers read and write access to the underlying SQL database, potentially enabling data theft or manipulation. Cybersecurity experts emphasize that robust data integrity is paramount for any business communication system.
Adjacent to the SQL injection concerns, CVE-2025-61678 is an authenticated arbitrary file upload vulnerability. This flaw could allow an attacker, possessing a valid PHPSESSID, to exploit the firmware upload endpoint. By uploading a PHP web shell, an attacker can then execute arbitrary commands, leading to the compromise of sensitive files such as `/etc/passwd`. This capability significantly expands the potential attack surface for compromised systems.
The most critical vulnerability, CVE-2025-66039, is an authentication bypass that occurs under specific configuration settings. This flaw allows an attacker to log into the FreePBX Administrator Control Panel by forging an `Authorization` header, specifically when the “Authorization Type” (AUTHTYPE) is set to “webserver.” This bypass can be achieved without needing valid credentials, posing a severe threat to system security.
The Authentication Bypass Nuance
It is important to note that the critical authentication bypass vulnerability (CVE-2025-66039) is not exploitable in the default FreePBX configuration. The “Authorization Type” option is only visible and configurable when specific advanced settings are enabled: “Display Friendly Name,” “Display Readonly Settings,” and “Override Readonly Settings” are all set to “Yes.”
However, once these prerequisites are met, an attacker can craft HTTP requests to bypass authentication. This bypass can lead to the insertion of a malicious user into the “ampusers” database table, a scenario reminiscent of CVE-2025-57819, another FreePBX vulnerability that was actively exploited in the wild in September 2025. The similarity underscores a pattern of exploitation for certain types of FreePBX flaws.
Mitigation and Patching Efforts
Horizon3.ai security researcher Noah King stated that these vulnerabilities are “easily exploitable and enable authenticated/unauthenticated remote attackers to achieve remote code execution on vulnerable FreePBX instances.” The potential for remote code execution (RCE) is a high-priority concern for system administrators worldwide.
The FreePBX project maintainers have released patches to address these security issues. CVE-2025-61675 and CVE-2025-61678 were fixed in FreePBX versions 16.0.92 and 17.0.6, with the patches available since October 14, 2025. CVE-2025-66039 was addressed in versions 16.0.44 and 17.0.23, with fixes released on December 9, 2025.
In addition to these patches, significant configuration changes have been implemented. The option to select an authentication provider has been removed from the Advanced Settings interface and now requires manual configuration via the command-line interface using `fwconsole` for enhanced security. For immediate mitigation, users are advised to set the “Authorization Type” to “usermanager,” “Override Readonly Settings” to “No,” and then apply the new configuration and reboot their systems to terminate any active unauthorized sessions.
FreePBX has also implemented dashboard warnings indicating that the “webserver” authentication type may offer reduced security compared to “usermanager.” Administrators are strongly advised to avoid using the “webserver” authentication type, as it is considered legacy code that relies heavily on external authentication layers for its security. A full system analysis for signs of compromise is recommended for any instance where the “webserver” AUTHTYPE was previously enabled.
Looking ahead, organizations utilizing FreePBX must prioritize applying the latest security patches. The ongoing discovery of vulnerabilities in widely deployed open-source software like FreePBX underscores the need for a proactive security posture, including regular updates and vigilant monitoring for any signs of breach. Future security assessments will likely focus on the stability and security of the new manual configuration methods for authentication providers.