FreePBX up to 15.0.37/16.0.40/17.0.20 Administrator Control Panel Web Interface path traversal

Summaryinfo

A vulnerability was found in FreePBX up to 15.0.37/16.0.40/17.0.20. It has been classified as critical. Impacted is an unknown function of the component Administrator Control Panel Web Interface. The manipulation leads to path traversal. This vulnerability is traded as CVE-2025-59056. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in FreePBX up to 15.0.37/16.0.40/17.0.20 and classified as problematic. This issue affects an unknown code block of the component Administrator Control Panel Web Interface. The manipulation with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is integrity, and availability. The summary by CVE is:

FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables, which is where most modules store their configuration. This vulnerability is fixed in 15.0.38, 16.0.41, and 17.0.21.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-59056 since 09/08/2025. The exploitation is known to be easy. The attack may be initiated remotely. Additional levels of successful authentication are needed for exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1006 for this issue.

Upgrading to version 15.0.38, 16.0.41 or 17.0.21 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• FreePBX

Version

• 15.0.0
• 15.0.1
• 15.0.2
• 15.0.3
• 15.0.4
• 15.0.5
• 15.0.6
• 15.0.7
• 15.0.8
• 15.0.9
• 15.0.10
• 15.0.11
• 15.0.12
• 15.0.13
• 15.0.14
• 15.0.15
• 15.0.16
• 15.0.17
• 15.0.18
• 15.0.19
• 15.0.20
• 15.0.21
• 15.0.22
• 15.0.23
• 15.0.24
• 15.0.25
• 15.0.26
• 15.0.27
• 15.0.28
• 15.0.29
• 15.0.30
• 15.0.31
• 15.0.32
• 15.0.33
• 15.0.34
• 15.0.35
• 15.0.36
• 15.0.37
• 16.0.0
• 16.0.1
• 16.0.2
• 16.0.3
• 16.0.4
• 16.0.5
• 16.0.6
• 16.0.7
• 16.0.8
• 16.0.9
• 16.0.10
• 16.0.11
• 16.0.12
• 16.0.13
• 16.0.14
• 16.0.15
• 16.0.16
• 16.0.17
• 16.0.18
• 16.0.19
• 16.0.20
• 16.0.21
• 16.0.22
• 16.0.23
• 16.0.24
• 16.0.25
• 16.0.26
• 16.0.27
• 16.0.28
• 16.0.29
• 16.0.30
• 16.0.31
• 16.0.32
• 16.0.33
• 16.0.34
• 16.0.35
• 16.0.36
• 16.0.37
• 16.0.38
• 16.0.39
• 16.0.40
• 17.0.0
• 17.0.1
• 17.0.2
• 17.0.3
• 17.0.4
• 17.0.5
• 17.0.6
• 17.0.7
• 17.0.8
• 17.0.9
• 17.0.10
• 17.0.11
• 17.0.12
• 17.0.13
• 17.0.14
• 17.0.15
• 17.0.16
• 17.0.17
• 17.0.18
• 17.0.19
• 17.0.20

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion