CVE-2025-67513
📋 TL;DR
FreePBX Endpoint Manager versions before 16.0.96 and 17.0.1 through 17.0.9 have a weak default password (app_password) that is a 6-digit numeric value, making it susceptible to brute-force attacks. This vulnerability could allow attackers to gain unauthorized access to telephony endpoints, potentially compromising extension, voicemail, user manager, DPMA, or EPM phone admin passwords. Affected users are those running vulnerable FreePBX systems with the Endpoint Manager module installed.
💻 Affected Systems
- FreePBX Endpoint Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could brute-force the default password, gain administrative access to telephony endpoints, and potentially compromise sensitive data, disrupt communications, or pivot to other systems.
Likely Case
Attackers may exploit this to access voicemail or extension settings, leading to unauthorized call interception, data theft, or service disruption.
If Mitigated
With strong password policies and network segmentation, the impact is limited to isolated systems, reducing the risk of widespread compromise.
🎯 Exploit Status
Exploitation requires knowledge of the target system and involves brute-forcing a predictable password, which is straightforward with automated tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.96 and 17.0.10
Vendor Advisory: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-426v-c5p7-cp29
Restart Required: No
Instructions:
1. Log into the FreePBX web interface. 2. Navigate to the Module Admin section. 3. Check for updates and install version 16.0.96 or 17.0.10 of the Endpoint Manager module. 4. Apply the update and verify the installation.
🔧 Temporary Workarounds
Change Default Password
linuxManually change the weak default password (app_password) to a strong, complex password to prevent brute-force attacks.
Access the FreePBX Endpoint Manager settings via the web interface and update the password field with a secure value.
🧯 If You Can't Patch
- Implement network segmentation to isolate the FreePBX system from untrusted networks.
- Enable rate limiting or account lockout policies to deter brute-force attempts.
🔍 How to Verify
Check if Vulnerable:
Check the Endpoint Manager module version in the FreePBX web interface under Module Admin; if it is below 16.0.96 or between 17.0.1 and 17.0.9, it is vulnerable.Check Version:
In FreePBX, run from SSH: fwconsole ma list | grep endpointVerify Fix Applied:
After updating, confirm the module version is 16.0.96 or 17.0.10 or higher in the Module Admin section.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts to the Endpoint Manager interface in FreePBX logs
- Unusual access patterns or successful logins from unknown IPs
Network Indicators:
- Increased traffic to the FreePBX web port (typically 443) with repetitive POST requests
- Brute-force tool signatures in network traffic
SIEM Query:
source="FreePBX" AND (event="login_failed" OR event="login_success") AND user="app_password" | stats count by src_ip