PT-2025-50554 · Freepbx · Freepbx Endpoint Manager
Published
2025-12-10
·
Updated
2025-12-11
·
CVE-2025-67513
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
FreePBX Endpoint Manager versions prior to 16.0.96
FreePBX Endpoint Manager versions 17.0.1 through 17.0.9
Description
The FreePBX Endpoint Manager module has a weak default password. The default password is a 6-digit numeric value that can be brute-forced. This
app password parameter could potentially grant access to the extension, voicemail, user manager, DPMA, or EPM phone admin passwords, depending on the system configuration.Recommendations
Update to FreePBX Endpoint Manager version 16.0.96 or later.
Update to FreePBX Endpoint Manager version 17.0.10 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Freepbx Endpoint Manager