Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-61675— FreePBX Endpoint Manager vulnerable to authenticated SQL injection in multiple configuration parameters

EPSS 11.60% · P94
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-61675

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
FreePBX Endpoint Manager vulnerable to authenticated SQL injection in multiple configuration parameters
Source: NVD (National Vulnerability Database)
Vulnerability Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
FreePBX Endpoint Manager SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FreePBX Endpoint Manager是FreePBX开源的一款集中管理IP电话终端配置模块。 FreePBX Endpoint Manager 16.0.92之前版本和17.0.6之前版本存在SQL注入漏洞,该漏洞源于basestation、model、firmware和custom extension配置功能区域存在多个参数存在SQL注入漏洞,可能导致执行任意SQL查询。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
FreePBXendpoint < 16.0.92 -

II. Public POCs for CVE-2025-61675

#POC DescriptionSource LinkShenlong Link
1Detection for CVE-2025-61675, CVE-2025-61678 & CVE-2025-66039https://github.com/rxerium/FreePBX-Vulns-December-25POC Details
2🔍 Detect critical FreePBX vulnerabilities with Nuclei templates for CVE-2025-61675, CVE-2025-61678, and CVE-2025-66039 to strengthen your system's security.https://github.com/jhow019/FreePBX-Vulns-December-25POC Details
3🔍 Detect critical vulnerabilities in FreePBX with Nuclei templates for CVE-2025-61675, CVE-2025-61678, and CVE-2025-66039. Protect your system now.https://github.com/jhow019/jhow019.github.ioPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-61675

登录查看更多情报信息。

Same Patch Batch · FreePBX · 2025-10-14 · 4 CVEs total

CVE-2025-59051FreePBX Endpoint Manager command injection via Network Scanning feature
CVE-2025-59429FreePBX core module vulnerable to reflected cross-site scripting via Asterisk HTTP Status
CVE-2025-61678FreePBX Endpoint Manager vulnerable to authenticated arbitrary file upload via fwbrand par

IV. Related Vulnerabilities

Same product: endpoint
Same vendor: FreePBX
Same weakness: CWE-89

V. Comments for CVE-2025-61675

No comments yet

Leave a comment