Security researchers have uncovered a trio of severe vulnerabilities in FreePBX, an open-source business phone system management platform, that could allow attackers to completely compromise vulnerable installations and execute arbitrary commands.
The flaws, discovered by Horizon3.ai researcher Noah King, include an authentication bypass (CVE-2025-66039), multiple SQL injection vulnerabilities (CVE-2025-61675), and an arbitrary file upload issue (CVE-2025-61678). When chained together, these vulnerabilities provide a devastating attack path from initial access to full system control.
The authentication bypass affects FreePBX instances configured with "webserver" authentication type—a non-default but available configuration option. By simply including a forged Authorization header with any username and password, attackers can bypass authentication entirely. "FreePBX blindly trusts any request that contains a valid username in the Authorization header," King explained in the technical disclosure.
Once past authentication, attackers can exploit eleven different SQL injection points across four endpoints in the Endpoint Management module. These injections allow complete database access, enabling threat actors to create administrative accounts, extract sensitive information, or insert malicious commands into the system's cron jobs table for persistent code execution.
The file upload vulnerability compounds the threat by allowing attackers to upload PHP webshells to arbitrary locations on the server, providing immediate remote code execution capabilities.
While the authentication bypass only affects non-default configurations, the SQL injection and file upload vulnerabilities impact all FreePBX installations that haven't applied recent patches. Shodan data reveals nearly 12,000 FreePBX instances publicly exposed online, though the actual number of vulnerable systems appears limited since most use the default "usermanager" authentication.
FreePBX has released patches addressing all three vulnerabilities in versions 16.0.42, 16.0.92, 17.0.6, and 17.0.22. Administrators should immediately update their installations and verify they're not using webserver authentication. Organizations should also audit their ampusers and cron_jobs database tables for suspicious entries and check for unauthorized files in /var/www/html.