Skip to main content

Freepbx CVE-2025-57819

CRITICAL
SQL Injection (CWE-89)
2025-08-28 security-advisories@github.com
RCE SQLi Freepbx
10.0
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 19:09 vuln.today
Added to CISA KEV
Oct 24, 2025 - 13:58 cisa
CISA KEV
PoC Detected
Oct 24, 2025 - 13:58 vuln.today
Public exploit code
CVE Published
Aug 28, 2025 - 17:15 nvd
CRITICAL 10.0

DescriptionNVD

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

AnalysisAI

FreePBX 15, 16, and 17 contain SQL injection vulnerabilities enabling unauthenticated access to the administrator interface, leading to database manipulation and remote code execution.

Technical ContextAI

The CWE-89 SQL injection through insufficiently sanitized user input provides unauthenticated database access. The database manipulation enables admin account creation and configuration changes leading to RCE.

RemediationAI

Apply FreePBX patches. Restrict web interface access. Audit call records for unauthorized access.

Share

CVE-2025-57819 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy