CVE-2025-57819

Name of the Vulnerable Software and Affected Versions FreePBX versions prior to 15.0.66 FreePBX versions prior to 16.0.89 FreePBX versions prior to 17.0.3

Description FreePBX is an open-source web-based graphical user interface. A critical issue exists in the "endpoint" module where insufficiently sanitized user-supplied data allows unauthenticated attackers to bypass authentication controls. This flaw enables an attacker to perform SQL injection, which is a technique used to manipulate database queries, leading to arbitrary database manipulation and remote code execution with SYSTEM-level privileges. There are reports of this issue being actively exploited in the wild.

Recommendations Update to version 15.0.66 for FreePBX 15. Update to version 16.0.89 for FreePBX 16. Update to version 17.0.3 for FreePBX 17. As a temporary workaround, restrict access to the "endpoint" module to minimize the risk of exploitation.