Critical authentication bypass and multiple flaws discovered in FreePBX VoIP platform

Security researchers from Horizon3.ai are reporting three critical vulnerabilities in FreePBX, an open-source IP PBX management tool widely used by businesses for VoIP telephony systems. The vulnerabilities were discovered during investigation of a separate authentication bypass (CVE-2025-57819) that was being actively exploited in the wild.

Vulnerabilities summary:

• CVE-2025-66039 (CVSS score 9.3) - Authentication bypass vulnerability affecting the "webserver" authentication type, allowing attackers to bypass authentication via a forged Authorization header. The vulnerability is exploitable when the "Authorization Type" advanced setting is configured to "webserver" instead of the default "usermanager" setting. This configuration option is only visible when three specific Advanced Settings Details values are set to "Yes": Display Friendly Name, Display Readonly Settings, and Override Readonly Settings. When these prerequisites are met, an attacker can bypass authentication by supplying any HTTP Basic Authorization header containing a valid username (such as the default "admin" user) with an arbitrary password. FreePBX blindly trusts requests containing valid usernames in the Authorization header, expecting Apache to handle authentication at a lower layer.
• CVE-2025-61675 (CVSS score 8.6) - Multiple authenticated SQL injection vulnerabilities affecting 11 parameters across four unique endpoints (basestation, model, firmware, and custom extension) enabling complete database read and write access. Researchers identified 11 vulnerable parameters that allow arbitrary SQL query execution against the FreePBX database. These injection points can be exploited to insert malicious users into the ampusers table, inject operating system commands into the cron_jobs table for scheduled execution, or exfiltrate sensitive telephony data including call records and user credentials. When chained with the authentication bypass, these SQL injections become exploitable without any authentication.
• CVE-2025-61678 (CVSS score 8.6) - Authenticated arbitrary file upload vulnerability in the firmware upload endpoint allowing attackers to upload PHP webshells and execute arbitrary commands. It allows authenticated attackers to manipulate the "fwbrand" parameter during firmware uploads, enabling path traversal to upload files to arbitrary locations on the server, including the web root directory at /var/www/html. Attackers can upload PHP webshells and execute arbitrary operating system commands with the privileges of the web server user, potentially leading to full system compromise.

FreePBX has released patches for all flaws:

•  CVE-2025-61675 and CVE-2025-61678 were patched on October 14, 2025, in versions 16.0.92 and 17.0.6 for FreePBX 16 and 17 respectively.
• CVE-2025-66039 was patched in versions 16.0.44 and 17.0.23, released on December 9, 2025. 

Security researchers note that the underlying vulnerable code remains present and can be activated after a lot of warnings and manual configuration. FeePBX has removed the option to select authentication providers from the Advanced Settings graphical interface, now requiring manual configuration via command line using "fwconsole setting AUTHTYPE webserver". When this authentication type is enabled, FreePBX displays a prominent security warning on the dashboard advising administrators that webserver authentication may offer reduced security compared to the default usermanager method. 

Organizations should verify their authentication type configuration, update to the latest patched versions, set "Authorization Type" to "usermanager", configure "Override Readonly Settings" to "No", apply configurations, and reboot systems to disconnect any potentially compromised sessions.