CVE-2025-61675
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61675
EUVD
EUVD-2025-34454
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freepbx endpoint_manager *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61675 is an authenticated SQL injection vulnerability in the FreePBX Endpoint Manager module affecting versions prior to 16.0.92 for FreePBX 16 and prior to 17.0.6 for FreePBX 17. It impacts multiple parameters in configuration areas such as basestation, model, firmware, and custom extension settings. An attacker with a known username and high privileges can exploit this vulnerability to execute arbitrary SQL queries against the database, potentially compromising the confidentiality and integrity of system data. [1]

Impact Analysis

This vulnerability can allow an authenticated attacker with high privileges to execute unauthorized SQL commands on the FreePBX Endpoint Manager database. This can lead to unauthorized access to sensitive data and modification of database contents, compromising the confidentiality and integrity of the system. The availability impact is low, but the risk of data disclosure and unauthorized changes is significant. [1]

Detection Guidance

Detection involves verifying if your FreePBX Endpoint Manager module is running a vulnerable version prior to 16.0.92 (FreePBX 16) or 17.0.6 (FreePBX 17). You can check the module version via the FreePBX Admin Control Panel or by running commands on the server such as: `fwconsole ma list` to list module versions. Additionally, monitoring for unusual SQL queries or unauthorized access attempts in logs related to the basestation, model, firmware, and custom extension configuration areas may help detect exploitation attempts. There are no specific commands provided for direct detection of the SQL injection exploit itself. [1]

Mitigation Strategies

Immediate mitigation steps include updating the FreePBX Endpoint Manager module to version 16.0.92 (for FreePBX 16) or 17.0.6 (for FreePBX 17) where the vulnerability is patched. Additionally, restrict access to the Admin Control Panel by removing unauthorized users and firewall the HTTP/HTTPS/GraphQL ports of the FreePBX Admin Control Panel to limit exposure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61675. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart