CVE-2025-61675 Overview
CVE-2025-61675 is an authenticated SQL injection vulnerability [CWE-89] in the FreePBX Endpoint Manager module. The flaw affects FreePBX 16 versions prior to 16.0.92 and FreePBX 17 versions prior to 17.0.6. Attackers with valid credentials can inject arbitrary SQL through multiple parameters in the basestation, model, firmware, and custom extension configuration features. Successful exploitation allows execution of arbitrary SQL queries against the underlying database, exposing sensitive configuration data or permitting unauthorized modification of database records.
Critical Impact
Authenticated attackers with a known username can read or modify the FreePBX database, compromising telephony configuration, extension data, and credentials stored within Endpoint Manager.
Affected Products
- FreePBX 16 Endpoint Manager module versions prior to 16.0.92
- FreePBX 17 Endpoint Manager module versions prior to 17.0.6
- FreePBX systems with Endpoint Manager enabled for telephony device provisioning
Discovery Timeline
- 2025-10-14 - CVE-2025-61675 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-61675
Vulnerability Analysis
The Endpoint Manager module in FreePBX handles provisioning of VoIP devices, including base stations, phone models, firmware assignments, and custom extension configuration. The module accepts user-supplied parameters across these workflows and incorporates them into SQL statements without adequate sanitization or parameterized binding. An authenticated user who knows a valid username can manipulate these parameters to alter query semantics. The vulnerability falls under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The EPSS score of 5.373% (90.2 percentile) indicates above-average exploitation likelihood relative to other published CVEs.
Root Cause
The root cause is the direct concatenation of untrusted input into SQL queries within the basestation, model, firmware, and custom extension code paths. Input parameters are not bound through prepared statements, and validation routines do not enforce a strict allowlist. As a result, characters such as single quotes, semicolons, and SQL keywords pass through to the database driver intact.
Attack Vector
The attack vector is network-based and requires authentication with a known username. An attacker who has obtained or guessed credentials submits crafted HTTP requests to the Endpoint Manager interface. The malicious parameter values modify the executing SQL, enabling data exfiltration through UNION-based or blind injection techniques and arbitrary updates through stacked queries where the driver permits them. No user interaction is required beyond the authenticated session. Refer to the FreePBX GitHub Security Advisory for vendor-supplied technical detail.
Detection Methods for CVE-2025-61675
Indicators of Compromise
- HTTP POST or GET requests to Endpoint Manager endpoints containing SQL metacharacters such as ', --, UNION SELECT, or OR 1=1 in basestation, model, firmware, or extension parameters.
- Database error messages or anomalously large response sizes returned from /admin/config.php or Endpoint Manager AJAX handlers.
- Unexpected modifications to Endpoint Manager tables, particularly rows touching device provisioning, firmware mappings, or extension configuration.
Detection Strategies
- Review FreePBX web server access logs for authenticated sessions issuing requests with SQL syntax in query string or POST body parameters.
- Enable MySQL/MariaDB general query logging or the slow query log temporarily to identify queries with unusual UNION, SLEEP, or INFORMATION_SCHEMA references originating from the FreePBX application user.
- Correlate Endpoint Manager activity with administrative login events to flag low-privilege accounts performing high-volume provisioning calls.
Monitoring Recommendations
- Forward FreePBX Apache and database logs to a centralized log platform and alert on SQL keywords appearing in Endpoint Manager request parameters.
- Monitor for new or modified admin accounts and changes to the ampusers table immediately after Endpoint Manager activity.
- Track outbound connections from the FreePBX host that could indicate post-exploitation data exfiltration.
How to Mitigate CVE-2025-61675
Immediate Actions Required
- Upgrade the Endpoint Manager module to 16.0.92 on FreePBX 16 or 17.0.6 on FreePBX 17 without delay.
- Audit all FreePBX administrative and operator accounts and rotate credentials for any account whose username may be known externally.
- Review database contents for unauthorized changes to extensions, device assignments, and stored credentials.
Patch Information
The FreePBX project released fixed versions of the Endpoint Manager module: version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17. Apply the update through the FreePBX Module Admin interface or fwconsole ma upgrade endpoint. Detailed patch information is available in the FreePBX GitHub Security Advisory GHSA-292p-rj6h-54cp.
Workarounds
- Restrict network access to the FreePBX administrative interface using firewall rules or a VPN to limit exposure to trusted operators.
- Disable the Endpoint Manager module if device provisioning is not in active use until the upgrade can be applied.
- Enforce strong, unique passwords and multi-factor authentication on all FreePBX administrative accounts to reduce the value of guessed usernames.
# Upgrade the Endpoint Manager module via fwconsole
fwconsole ma downloadinstall endpoint
fwconsole ma upgrade endpoint
fwconsole reload
# Verify installed version (expect 16.0.92+ on FreePBX 16 or 17.0.6+ on FreePBX 17)
fwconsole ma list | grep endpoint
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
