Bold warning: Critical flaws in FreePBX could let attackers bypass authentication and take control of your system. But here’s where it gets controversial: the very safeguards that should protect you hinge on configuration choices that are easy to misset or overlook.
Security researchers at Horizon3.ai disclosed multiple vulnerabilities in FreePBX, including a severe authentication bypass under certain setups, alongside several SQL injection and file-upload weaknesses. The findings, reported to project maintainers on September 15, 2025, are summarized below with their CVEs and impact:
- CVE-2025-61675 (CVSS 8.6): Numerous authenticated SQL injection flaws affecting four endpoints (basestation, model, firmware, and custom extension) and 11 parameters, granting read/write access to the underlying database.
- CVE-2025-61678 (CVSS 8.6): Authenticated arbitrary file upload vulnerability that enables uploading a PHP web shell through the firmware upload endpoint after obtaining a valid PHPSESSID, allowing commands to be executed and sensitive files (e.g., /etc/passwd) to be leaked.
- CVE-2025-66039 (CVSS 9.3): Authentication bypass when the Authorization Type (AUTHTYPE) is set to webserver, permitting login to the Administrator Control Panel via a forged Authorization header.
A key nuance: the authentication bypass is not active by default. The webserver AUTHTYPE option only appears when three Advanced Settings details are all set to Yes: Display Friendly Name, Display Readonly Settings, and Override Readonly Settings. Once those prerequisites are met, an attacker could craft HTTP requests to bypass authentication and insert a malicious user into the ampusers table—reminiscent of CVE-2025-57819, another FreePBX flaw that was exploited in the wild in September 2025.
Horizon3.ai researcher Noah King emphasizes how exploitable these issues are, noting they enable remote code execution for both authenticated and unauthenticated attackers on vulnerable FreePBX instances.
Patch status and mitigations:
- CVE-2025-61675 and CVE-2025-61678 are fixed in FreePBX versions 16.0.92 and 17.0.6 (released October 14, 2025).
- CVE-2025-66039 is fixed in versions 16.0.44 and 17.0.23 (released December 9, 2025).
A functional change introduced alongside the fixes: the option to choose an authentication provider has been removed from Advanced Settings. Users must configure authentication via the command line using fwconsole. Temporary mitigations include setting AUTHTYPE to usermanager, ensuring Override Readonly Settings is No, applying the new configuration, and rebooting to terminate rogue sessions.
If you discover that the web server AUTHTYPE was enabled by mistake, perform a full system audit for signs of compromise. A dashboard warning now cautions that webserver authentication may be less secure than usermanager, and best practice recommends avoiding webserver for authentication.
Even with these patches, the underlying vulnerable code remains present and continues to rely on front-end authentication layers for access. As King notes, some endpoints require a valid username, while others—such as certain file upload paths—may permit remote code execution without a username. The takeaway is clear: avoid using webserver AUTHTYPE, as it appears to be legacy code with a higher security risk.
Controversial takeaway: while patches address the immediate flaws, the fact that such a complex system can be affected by configuration-dependent exploits raises a broader question—are you running FreePBX in a way that inherently minimizes risk, or are you relying on default settings and patching after issues surface? Share your stance: do you think industry-wide defaults should enforce safer authentication modes by design, or should administrators retain control with explicit, auditable configuration steps?
If you’d like to read the original reporting and advisories, you can consult the linked CVEs and the Horizon3.ai write-up cited in the article. Would you like a brief checklist to verify your FreePBX deployment’s current security posture and ensure you’re aligned with the recommended mitigations?
