Matthewljensen

**Name of the Vulnerable Software and Affected Versions** FreePBX versions prior to 15.0.66 FreePBX versions prior to 16.0.89 FreePBX versions prior to 17.0.3 **Description** FreePBX is an open-source web-based graphical user interface. A critical issue exists in the "endpoint" module where insufficiently sanitized user-supplied data allows unauthenticated attackers to bypass authentication controls. This flaw enables an attacker to perform SQL injection, which is a technique used to manipulate database queries, leading to arbitrary database manipulation and remote code execution with SYSTEM-level privileges. There are reports of this issue being actively exploited in the wild. **Recommendations** Update to version 15.0.66 for FreePBX 15. Update to version 16.0.89 for FreePBX 16. Update to version 17.0.3 for FreePBX 17. As a temporary workaround, restrict access to the "endpoint" module to minimize the risk of exploitation.