Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2025-57819 PoC — FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE

Source
https://github.com/ImBIOS/lab-cve-2025-57819
Associated Vulnerability
Title:FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE (CVE-2025-57819)
Description:FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
Description
FreePBX CVE-2025-57819 lab (Docker) + Nuclei POC for unauth SQLi (time-based).
Readme
# (Work in Progress) FreePBX CVE-2025-57819 Lab - Unauth SQLi → RCE Chain (Nuclei POC)

Spin up a reproducible FreePBX 15 lab (Docker) to validate CVE-2025-57819 — a critical unauthenticated SQL injection in `userman` AJAX endpoints that can be chained to RCE. Includes a working Nuclei template (behavior-based, not version checks) and a debug-friendly test harness.

## Highlights

- Unauthenticated time-based SQLi POC (SLEEP) on `userman` endpoints
- Minimal Docker Compose (MariaDB + FreePBX 15)
- Nuclei POC template with `-debug` validation
- Make targets for quick bring-up and test

## Quick Start

Prereqs: Docker + Docker Compose. For Nuclei, either install locally or use the official container (used by default).

```bash
# bring up the lab
make up

# wait until FreePBX is responding
make wait

# quick timing check (expect ~6s delay on injected request)
make check

# run nuclei POC with debug (via Docker)
make test-nuclei

# all-in-one
make test
```

If you have Nuclei installed locally, you can run:

```bash
nuclei -u http://127.0.0.1:8080 -t templates/CVE-2025-57819.yaml -vv -debug -debug-req -debug-resp
```

## How It Works

- Vulnerable endpoints:
  - `/admin/ajax.php?module=userman&command=checkPasswordReminder`
  - `/ucp/ajax.php?module=userman&command=checkPasswordReminder`
- The template sends a baseline POST and a SLEEP-injected POST. A ≥5s delay on the injected request indicates likely SQLi.
- This is a detection-only POC (non-destructive). Do not attempt file writes in shared environments.

## Repository Layout

```txt
.
├── docker-compose.yml
├── Makefile
├── scripts/
│   └── test.sh
└── templates/
    └── CVE-2025-57819.yaml
```

## References

- FreePBX advisory: <https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h>
- PoC 1: <https://github.com/blueisbeautiful/CVE-2025-57819>
- PoC 2: <https://github.com/net-hex/CVE-2025-57819>

## Disclaimer

For educational and authorized testing only. Test only assets you own or have explicit permission to test.

## SEO Keywords

freepbx cve-2025-57819, freepbx sql injection, freepbx rce, userman ajax.php exploit, nuclei template cve-2025-57819, freepbx security lab, pentest lab freepbx
File Snapshot

 [4.0K]  /data/pocs/8c22cbb163eee2e256485370d8a84ed034f3d3a9
├── [ 761]  docker-compose.yml
├── [1.7K]  Makefile
├── [2.2K]  README.md
├── [4.0K]  scripts
│   ├── [1.5K]  seed-admin.sh
│   └── [1.0K]  test.sh
└── [4.0K]  templates
    └── [3.3K]  CVE-2025-57819.yaml

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →