PT-2025-42186 · Unknown · Freepbx Endpoint Manager

Published

2025-10-14

·

Updated

2025-10-14

·

CVE-2025-61678

CVSS v4.0
8.6
VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions FreePBX Endpoint Manager versions prior to 16.0.92 FreePBX Endpoint Manager versions prior to 17.0.6
Description The FreePBX Endpoint Manager module contains an authenticated arbitrary file upload issue. The 
fwbrand
parameter is susceptible to manipulation, allowing an attacker to modify the file path. This, combined with the file upload capability, can lead to the upload of a webshell. Exploitation requires authentication with a known username. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially resulting in remote code execution. The vulnerable parameter is 
fwbrand
.
Recommendations Update to FreePBX Endpoint Manager version 16.0.92 or later. Update to FreePBX Endpoint Manager version 17.0.6 or later.

Fix

Unrestricted File Upload

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2025-61678

Affected Products

Freepbx Endpoint Manager