FreePBX Affected by Authentication Bypass Leading to SQL Injection and...

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

Basic Information

ID CVE-2025-57819

Source GitHub_M

Published Aug 28, 2025 at 16:45

Modified Aug 28, 2025 at 17:15

Affected Product

Vendor FreePBX

Product security-reporting

Version < 15.0.66

Affected Versions FreePBX security-reporting < 15.0.66
FreePBX security-reporting < 16.0.89
FreePBX security-reporting < 17.0.3

CWE Classification

CWE-89 CWE-288

References

{
    "lastseen": "",
    "description": "FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.",
    "published": "2025-08-28T16:45:18.749Z",
    "modified": "2025-08-28T17:15:36.037Z",
    "type": "cve",
    "title": "FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE",
    "source": "GitHub_M",
    "references": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h\nhttps://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203",
    "id": "CVE-2025-57819",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89",
        "CWE-288"
    ],
    "cvelist": null,
    "sourceData": "FreePBX security-reporting < 15.0.66\nFreePBX security-reporting < 16.0.89\nFreePBX security-reporting < 17.0.3",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "security-reporting",
    "version": "< 15.0.66",
    "vendor": "FreePBX",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE_CVE-2025-57819