CVE-2025-61675
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freepbx | endpoint_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61675 is an authenticated SQL injection vulnerability in the FreePBX Endpoint Manager module affecting versions prior to 16.0.92 for FreePBX 16 and prior to 17.0.6 for FreePBX 17. It impacts multiple parameters in configuration areas such as basestation, model, firmware, and custom extension settings. An attacker with a known username and high privileges can exploit this vulnerability to execute arbitrary SQL queries against the database, potentially compromising the confidentiality and integrity of system data. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with high privileges to execute unauthorized SQL commands on the FreePBX Endpoint Manager database. This can lead to unauthorized access to sensitive data and modification of database contents, compromising the confidentiality and integrity of the system. The availability impact is low, but the risk of data disclosure and unauthorized changes is significant. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your FreePBX Endpoint Manager module is running a vulnerable version prior to 16.0.92 (FreePBX 16) or 17.0.6 (FreePBX 17). You can check the module version via the FreePBX Admin Control Panel or by running commands on the server such as: `fwconsole ma list` to list module versions. Additionally, monitoring for unusual SQL queries or unauthorized access attempts in logs related to the basestation, model, firmware, and custom extension configuration areas may help detect exploitation attempts. There are no specific commands provided for direct detection of the SQL injection exploit itself. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the FreePBX Endpoint Manager module to version 16.0.92 (for FreePBX 16) or 17.0.6 (for FreePBX 17) where the vulnerability is patched. Additionally, restrict access to the Admin Control Panel by removing unauthorized users and firewall the HTTP/HTTPS/GraphQL ports of the FreePBX Admin Control Panel to limit exposure. [1]