CVE-2025-66039

Critical

Published: 09 December 2025

Published

09 December 2025

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.3320 96.9th percentile

Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated…

with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediating the authentication bypass flaw by patching FreePBX Endpoint Manager to versions 16.0.44 or 17.0.23 directly prevents exploitation of CVE-2025-66039.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requiring unique identification and authentication for organizational users prevents the arbitrary Authorization header from bypassing credentials in the Endpoint Manager module.

AC-3 Access Enforcement good match

prevent

Enforcing approved authorizations ensures that manipulated Authorization headers do not grant unauthorized sessions to target users in FreePBX systems.

Security SummaryAI

CVE-2025-66039 is an authentication bypass vulnerability in the FreePBX Endpoint Manager module, which manages telephony endpoints in FreePBX systems. The flaw occurs when the authentication type is configured to "webserver," allowing an attacker to supply an arbitrary value in the Authorization HTTP header. This results in a valid session being associated with the target user, bypassing the need for legitimate credentials. Affected versions are those prior to 16.0.44 and 17.0.23, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-287 (Improper Authentication).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting a request with a manipulated Authorization header targeting a specific user, an attacker can impersonate that user and gain unauthorized access to the Endpoint Manager functionality. This enables full control over telephony endpoint configurations, potentially leading to high confidentiality, integrity, and availability impacts, such as reconfiguring devices, intercepting calls, or disrupting PBX operations.

Mitigation is available through upgrading to FreePBX Endpoint Manager versions 16.0.44 or 17.0.23, which address the issue as detailed in the project's GitHub security advisory (GHSA-9jvh-mv6x-w698) and a specific framework commit. FreePBX has also published guidance on their security practices in a related blog post, emphasizing prompt patching for exposed systems.

Details

CWE(s): CWE-287

Affected Products

sangoma

freepbx

≤ 16.0.44 · 17.0.1 — 17.0.23

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-66039 is an authentication bypass in the public-facing FreePBX Endpoint Manager web module, enabling remote unauthenticated exploitation for unauthorized access, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50
Product · security-advisories@github.com
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698
Mitigation, Vendor Advisory · security-advisories@github.com
https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80
Vendor Advisory, Not Applicable · security-advisories@github.com