PT-2025-42186 · Unknown · Freepbx Endpoint Manager
Published
2025-10-14
·
Updated
2026-01-31
·
CVE-2025-61678
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
FreePBX Endpoint Manager versions prior to 16.0.92
FreePBX Endpoint Manager versions prior to 17.0.6
Description
The FreePBX Endpoint Manager module contains an authenticated arbitrary file upload issue. The
fwbrand parameter allows an attacker to modify the file path, potentially leading to the upload of a webshell. Exploitation requires authentication with a known username. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, which could result in remote code execution. The fwbrand parameter is the component affected by this issue.Recommendations
FreePBX Endpoint Manager versions prior to 16.0.92 should be updated to version 16.0.92 or later.
FreePBX Endpoint Manager versions prior to 17.0.6 should be updated to version 17.0.6 or later.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Freepbx Endpoint Manager