CVE-2025-57819

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
sangomafreepbx
15.0 ≤
𝑥
< 15.0.66
sangomafreepbx
16.0 ≤
𝑥
< 16.0.89
sangomafreepbx
17.0 ≤
𝑥
< 17.0.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h
https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819