Multiple security issues have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical condition that can permit authentication bypass when deployed with specific, non-default settings.

The weaknesses, identified by Horizon3.ai and reported to the maintainers on September 15, 2025, are as follows –

• CVE-2025-61675 (CVSS score: 8.6) – Multiple authenticated SQL injection vulnerabilities across four distinct endpoints (basestation, model, firmware, and custom extension) and 11 parameters, allowing read and write operations against the backing SQL database
• CVE-2025-61678 (CVSS score: 8.6) – An authenticated arbitrary file upload flaw in the firmware upload endpoint that lets an attacker, once in possession of a valid PHPSESSID, upload a PHP web shell and run arbitrary commands to exfiltrate sensitive files (for example, “/etc/passwd”)
• CVE-2025-66039 (CVSS score: 9.3) – An authentication bypass condition triggered when the “Authorization Type” (AUTHTYPE) is configured as “webserver,” enabling an attacker to gain access to the Administrator Control Panel by supplying a forged Authorization header

From an operations perspective, the authentication bypass does not affect FreePBX in its default state, because the “Authorization Type” selector is only exposed when all three of the following Advanced Settings Detail values are set to “Yes”:

• Display Friendly Name
• Display Readonly Settings, and
• Override Readonly Settings

Once those prerequisites are satisfied, however, an attacker can issue crafted HTTP requests to bypass the normal login flow and insert a malicious account into the “ampusers” database table, effectively achieving an outcome similar to CVE-2025-57819, another FreePBX issue that was reported as being actively exploited in production environments in September 2025.

“These vulnerabilities are straightforward to exploit and allow both authenticated and unauthenticated remote attackers to obtain remote code execution on exposed FreePBX instances,” Horizon3.ai security researcher Noah King noted in a report released last week.

The maintainers have shipped fixes in the following releases –

• CVE-2025-61675 and CVE-2025-61678 – 16.0.92 and 17.0.6 (patched on October 14, 2025)
• CVE-2025-66039 – 16.0.44 and 17.0.23 (patched on December 9, 2025)

Additionally, the UI control for selecting an authentication provider has been removed from Advanced Settings; administrators must now configure it explicitly via the fwconsole command-line tool. As short-term mitigations, FreePBX advises setting “Authorization Type” to “usermanager,” setting “Override Readonly Settings” to “No,” applying the configuration change, and rebooting the system to terminate any suspicious or stale sessions.

“If you discover that web server AUTHTYPE was enabled unintentionally, you should perform a comprehensive review of the system for indicators of compromise,” it said.

Administrators also see a dashboard warning noting that “webserver” may provide weaker security than “usermanager.” For stronger security posture, the guidance is to avoid using the “webserver” authentication type.

“It is important to understand that the underlying vulnerable code remains present and depends on upstream authentication layers to protect access to the FreePBX instance,” King added. “Requests must still include an Authorization header carrying a Base64-encoded username:password pair.”

“Depending on the endpoint, we observed that some paths require a valid username, while others, such as the file upload example referenced earlier, do not, and remote code execution can be achieved with only a few steps. From a security best-practice standpoint, the webserver authentication type should be avoided, as it appears to be legacy functionality.”

Found this analysis useful for your security operations? Follow us on Google News, Twitter and LinkedIn to keep up with more technical coverage we publish.