FreePBX Endpoint Manager up to 16.0.91/17.0.5 sql injection

Summaryinfo

A vulnerability marked as critical has been reported in FreePBX Endpoint Manager up to 16.0.91/17.0.5. Affected by this issue is some unknown functionality. This manipulation causes sql injection. The identification of this vulnerability is CVE-2025-61675. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in FreePBX Endpoint Manager up to 16.0.91/17.0.5 and classified as critical. Affected by this vulnerability is an unknown code. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

The advisory is shared at github.com. This vulnerability is known as CVE-2025-61675 since 09/29/2025. The exploitation appears to be easy. The attack can be launched remotely. Additional levels of successful authentication are needed for exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1505 for this issue.

Upgrading to version 16.0.92 or 17.0.6 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• FreePBX

Name

• Endpoint Manager

Version

• 16.0.0
• 16.0.1
• 16.0.2
• 16.0.3
• 16.0.4
• 16.0.5
• 16.0.6
• 16.0.7
• 16.0.8
• 16.0.9
• 16.0.10
• 16.0.11
• 16.0.12
• 16.0.13
• 16.0.14
• 16.0.15
• 16.0.16
• 16.0.17
• 16.0.18
• 16.0.19
• 16.0.20
• 16.0.21
• 16.0.22
• 16.0.23
• 16.0.24
• 16.0.25
• 16.0.26
• 16.0.27
• 16.0.28
• 16.0.29
• 16.0.30
• 16.0.31
• 16.0.32
• 16.0.33
• 16.0.34
• 16.0.35
• 16.0.36
• 16.0.37
• 16.0.38
• 16.0.39
• 16.0.40
• 16.0.41
• 16.0.42
• 16.0.43
• 16.0.44
• 16.0.45
• 16.0.46
• 16.0.47
• 16.0.48
• 16.0.49
• 16.0.50
• 16.0.51
• 16.0.52
• 16.0.53
• 16.0.54
• 16.0.55
• 16.0.56
• 16.0.57
• 16.0.58
• 16.0.59
• 16.0.60
• 16.0.61
• 16.0.62
• 16.0.63
• 16.0.64
• 16.0.65
• 16.0.66
• 16.0.67
• 16.0.68
• 16.0.69
• 16.0.70
• 16.0.71
• 16.0.72
• 16.0.73
• 16.0.74
• 16.0.75
• 16.0.76
• 16.0.77
• 16.0.78
• 16.0.79
• 16.0.80
• 16.0.81
• 16.0.82
• 16.0.83
• 16.0.84
• 16.0.85
• 16.0.86
• 16.0.87
• 16.0.88
• 16.0.89
• 16.0.90
• 16.0.91
• 17.0.0
• 17.0.1
• 17.0.2
• 17.0.3
• 17.0.4
• 17.0.5

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion