CVE-2025-66039

Name of the Vulnerable Software and Affected Versions: FreePBX Endpoint Manager versions 16.0.0 through 16.0.43 and 17.0.0 through 17.0.22.

Description: FreePBX Endpoint Manager is susceptible to an authentication bypass when the authentication type is configured to 'webserver'. An attacker can forge an Authorization header with a valid username and any password, gaining unauthorized access. The system incorrectly verifies incoming requests when the 'webserver' authentication type is selected, blindly trusting the Authorization: Basic header. This allows an attacker to associate a session with a target user without valid credentials. Exploitation can lead to SQL injection and remote code execution when chained with other flaws.

Recommendations: Update the Endpoint Manager module to versions 16.0.44 or 17.0.23 or higher. As a temporary measure, disable the 'webserver' authentication type if it is not required.