CVE-2025-57819

CRITICAL
2025-08-28 [email protected]
10.0
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 19:09 vuln.today
Added to CISA KEV
Oct 24, 2025 - 13:58 cisa
CISA KEV
PoC Detected
Oct 24, 2025 - 13:58 vuln.today
Public exploit code
CVE Published
Aug 28, 2025 - 17:15 nvd
CRITICAL 10.0

Tags

RCE SQLi Freepbx

Description

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

Analysis

FreePBX 15, 16, and 17 contain SQL injection vulnerabilities enabling unauthenticated access to the administrator interface, leading to database manipulation and remote code execution.

Technical Context

The CWE-89 SQL injection through insufficiently sanitized user input provides unauthenticated database access. The database manipulation enables admin account creation and configuration changes leading to RCE.

Affected Products

['FreePBX 15', 'FreePBX 16', 'FreePBX 17']

Remediation

Apply FreePBX patches. Restrict web interface access. Audit call records for unauthorized access.

Priority Score

188
Low Medium High Critical
KEV: +50
EPSS: +68.5
CVSS: +50
POC: +20

Share

CVE-2025-57819 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy