Patches FreePBX Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

 

Open Source private branch exchange (pbx) platform FreePBX mein kai security kamazoriyon ka pata chala hai, jisa

men ek baadi kami bhee shaamil hai, jisse kuchh configuration mein Authentication bypass ho sakta hai.

Horizon3 AI duvaara khojee gai aur 15 September 2025 ko project maintainer ko batai gai kamiyaan niche di gai hain.

• CVE-2025-61678 (cvss score: 8.6) - ek Authenticed arbitrary file upload vulnerabilitee jo ek attacker ko vailid PHPSESSID milne ke baad firmware upload endpoint ka fayada uthakar php web shell upload karne aur sensitive file (jaise, "/etc/passwd") ke content ko leak karne ke liye arbitrary command chalane kee anumati deti hai.

• CVE-2025-61675 (cvss score: 8.6) - kai authenticated SQL Injection kamajoriyaan jo chaar uniq endpoints (basestation, model, firmware, and custom extension) aur 11 affected parameters ko private kartee hain, jo underlying SQL database tak read aur write access deti hain.

• CVE-2025-66039 (cvss score: 9.3) - yeh ek authentication bypass vulnerability hai jo tab hotee hai jab "Authorization Type" (aka AUTHTYPE)  ko "webserver" par set kiya jaata hai, jisse ek attacker jaalee Authorization header ke jariye administrator control panel mein log in kar sakta hai.

Yahan yeh batana Jaruree hai ki FreePBX ke default configuration mein Authentication bypass mein koi kamee nahin hai, kyunki "Authorization Type" option tabhi dikhta hai jab advance settings details mein niche di gaee teeno value  ko "YES" par set kiya jaata hai

1. Display Friendly Name

2. Display Readonly Settings, and

3. Override Readonly Settings

Horizon3.ai security researcher Noah King ne pichhle hafte publish ek report mein kaha, "ye kamazoriyaan aasanee se istemaal ki ja saktee hain aur authenticated/unauthenticated remote attackers ko kamazor freepbx instanse par remote code execution on vulnerable  karane mein madad karatee hain.

in samasyaon ko niche diye gae version mein theek kiya gaya hai -

CVE-2025-61675 aur CVE-2025-61678 - 16.0.92 aur 17.0.6 (14 October, 2025 ko theek kiya gaya)

CVE-2025-66039 - 16.0.44 aur 17.0.23 (9 December, 2025 ko theek kiya gaya)

iske alava, authentication provider chunne ka option ab advance settings se hata diya gaya hai aur iske liye users ko fwconsole ka istemaal karke Command line ke zarie ise mannual roop se set karna hoga. temporary samaadhaan ke taur par, FreePBX ne salaah di hai ki users "Authentication Type" ko "Usermannager" par set karen, "Override Readonly Settings" ko "nahin" par set karen, naya Configuration apply karen, aur kisi bhee galat session ko disconnect karne ke liye system ko reboot karen.