CVE-2025-66039 – FreePBX Endpoint Manager versions before 16.0.4... (How to Fix)

Q: What is the severity of CVE-2025-66039?

CVE-2025-66039 has a CVSS score of 9.8 (CRITICAL). FreePBX Endpoint Manager versions before 16.0.44 and 17.0.23 contain an authentication bypass vulnerability when using webserver authentication. Attackers can send arbitrary Authorization headers to gain unauthorized access as any user without valid credentials. This affects all FreePBX systems using the vulnerable Endpoint Manager module with webserver authentication enabled.

📋 TL;DR

FreePBX Endpoint Manager versions before 16.0.44 and 17.0.23 contain an authentication bypass vulnerability when using webserver authentication. Attackers can send arbitrary Authorization headers to gain unauthorized access as any user without valid credentials. This affects all FreePBX systems using the vulnerable Endpoint Manager module with webserver authentication enabled.

💻 Affected Systems

Products:

FreePBX Endpoint Manager

Versions: All versions before 16.0.44 and 17.0.23

Operating Systems: Any OS running FreePBX

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when authentication type is set to 'webserver' in Endpoint Manager configuration.

📦 What is this software?

Freepbx by Sangoma

View all CVEs affecting Freepbx →

Freepbx by Sangoma

View all CVEs affecting Freepbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to take over telephony endpoints, intercept calls, modify configurations, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access to endpoint management functions allowing attackers to reconfigure phones, eavesdrop on communications, or disrupt telephony services.

🟢

If Mitigated

Limited impact if webserver authentication is disabled or systems are isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Systems exposed to the internet are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation with arbitrary Authorization header value.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.44 or 17.0.23

Vendor Advisory: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698

Restart Required: Yes

Instructions:

1. Log into FreePBX admin interface. 2. Navigate to Module Admin. 3. Check for updates. 4. Update Endpoint Manager to version 16.0.44 or 17.0.23. 5. Apply configuration changes. 6. Restart affected services.

🔧 Temporary Workarounds

Disable webserver authentication

all

Change authentication type to a non-webserver method in Endpoint Manager configuration

Network isolation

linux

Restrict access to FreePBX web interface to trusted networks only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Change authentication method from 'webserver' to another supported method in Endpoint Manager settings
Implement strict network access controls to limit exposure to the FreePBX web interface

🔍 How to Verify

Check if Vulnerable:

Check Endpoint Manager version in FreePBX admin interface and verify if webserver authentication is enabled

Check Version:

fwconsole ma list | grep endpoint

Verify Fix Applied:

Confirm Endpoint Manager version is 16.0.44 or higher (for v16) or 17.0.23 or higher (for v17)

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts with malformed Authorization headers
Endpoint configuration changes from unexpected IP addresses
Multiple failed login attempts followed by successful access

Network Indicators:

HTTP requests to /admin/config.php?display=endpoint with arbitrary Authorization headers
Unusual traffic patterns to endpoint management endpoints

SIEM Query:

source="freepbx.log" AND ("Authorization:" AND NOT "session=") OR ("endpoint" AND "config.php" AND status=200)

📊 Metadata

CVE ID: CVE-2025-66039

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

EPSS Score: 23.67% exploit probability (95.9th percentile)

Published: December 9, 2025

Last Updated: February 2, 2026

🔗 References

https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50 Product
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698 Mitigation,Vendor Advisory
https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 Vendor Advisory,Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66039, you might also want to check these: