Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61675

CVE-2025-61675: FreePBX Endpoint Manager SQLi Vulnerability

CVE-2025-61675 is an authenticated SQL injection vulnerability in FreePBX Endpoint Manager that enables attackers to execute arbitrary SQL queries. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2025-61675 Overview

CVE-2025-61675 is an authenticated SQL injection vulnerability [CWE-89] in the FreePBX Endpoint Manager module. The flaw affects FreePBX 16 versions prior to 16.0.92 and FreePBX 17 versions prior to 17.0.6. Attackers with valid credentials can inject arbitrary SQL through multiple parameters in the basestation, model, firmware, and custom extension configuration features. Successful exploitation allows execution of arbitrary SQL queries against the underlying database, exposing sensitive configuration data or permitting unauthorized modification of database records.

Critical Impact

Authenticated attackers with a known username can read or modify the FreePBX database, compromising telephony configuration, extension data, and credentials stored within Endpoint Manager.

Affected Products

  • FreePBX 16 Endpoint Manager module versions prior to 16.0.92
  • FreePBX 17 Endpoint Manager module versions prior to 17.0.6
  • FreePBX systems with Endpoint Manager enabled for telephony device provisioning

Discovery Timeline

  • 2025-10-14 - CVE-2025-61675 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-61675

Vulnerability Analysis

The Endpoint Manager module in FreePBX handles provisioning of VoIP devices, including base stations, phone models, firmware assignments, and custom extension configuration. The module accepts user-supplied parameters across these workflows and incorporates them into SQL statements without adequate sanitization or parameterized binding. An authenticated user who knows a valid username can manipulate these parameters to alter query semantics. The vulnerability falls under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The EPSS score of 5.373% (90.2 percentile) indicates above-average exploitation likelihood relative to other published CVEs.

Root Cause

The root cause is the direct concatenation of untrusted input into SQL queries within the basestation, model, firmware, and custom extension code paths. Input parameters are not bound through prepared statements, and validation routines do not enforce a strict allowlist. As a result, characters such as single quotes, semicolons, and SQL keywords pass through to the database driver intact.

Attack Vector

The attack vector is network-based and requires authentication with a known username. An attacker who has obtained or guessed credentials submits crafted HTTP requests to the Endpoint Manager interface. The malicious parameter values modify the executing SQL, enabling data exfiltration through UNION-based or blind injection techniques and arbitrary updates through stacked queries where the driver permits them. No user interaction is required beyond the authenticated session. Refer to the FreePBX GitHub Security Advisory for vendor-supplied technical detail.

Detection Methods for CVE-2025-61675

Indicators of Compromise

  • HTTP POST or GET requests to Endpoint Manager endpoints containing SQL metacharacters such as ', --, UNION SELECT, or OR 1=1 in basestation, model, firmware, or extension parameters.
  • Database error messages or anomalously large response sizes returned from /admin/config.php or Endpoint Manager AJAX handlers.
  • Unexpected modifications to Endpoint Manager tables, particularly rows touching device provisioning, firmware mappings, or extension configuration.

Detection Strategies

  • Review FreePBX web server access logs for authenticated sessions issuing requests with SQL syntax in query string or POST body parameters.
  • Enable MySQL/MariaDB general query logging or the slow query log temporarily to identify queries with unusual UNION, SLEEP, or INFORMATION_SCHEMA references originating from the FreePBX application user.
  • Correlate Endpoint Manager activity with administrative login events to flag low-privilege accounts performing high-volume provisioning calls.

Monitoring Recommendations

  • Forward FreePBX Apache and database logs to a centralized log platform and alert on SQL keywords appearing in Endpoint Manager request parameters.
  • Monitor for new or modified admin accounts and changes to the ampusers table immediately after Endpoint Manager activity.
  • Track outbound connections from the FreePBX host that could indicate post-exploitation data exfiltration.

How to Mitigate CVE-2025-61675

Immediate Actions Required

  • Upgrade the Endpoint Manager module to 16.0.92 on FreePBX 16 or 17.0.6 on FreePBX 17 without delay.
  • Audit all FreePBX administrative and operator accounts and rotate credentials for any account whose username may be known externally.
  • Review database contents for unauthorized changes to extensions, device assignments, and stored credentials.

Patch Information

The FreePBX project released fixed versions of the Endpoint Manager module: version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17. Apply the update through the FreePBX Module Admin interface or fwconsole ma upgrade endpoint. Detailed patch information is available in the FreePBX GitHub Security Advisory GHSA-292p-rj6h-54cp.

Workarounds

  • Restrict network access to the FreePBX administrative interface using firewall rules or a VPN to limit exposure to trusted operators.
  • Disable the Endpoint Manager module if device provisioning is not in active use until the upgrade can be applied.
  • Enforce strong, unique passwords and multi-factor authentication on all FreePBX administrative accounts to reduce the value of guessed usernames.
bash
# Upgrade the Endpoint Manager module via fwconsole
fwconsole ma downloadinstall endpoint
fwconsole ma upgrade endpoint
fwconsole reload

# Verify installed version (expect 16.0.92+ on FreePBX 16 or 17.0.6+ on FreePBX 17)
fwconsole ma list | grep endpoint

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.