CVE-2025-61678
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61678
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freepbx endpoint_manager *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61678 is an authenticated arbitrary file upload vulnerability in the FreePBX Endpoint Manager module. It specifically affects the 'fwbrand' parameter, which allows an attacker with valid credentials to change the file path and upload arbitrary files, including potentially a webshell. This can lead to remote code execution on the server. The vulnerability affects FreePBX versions prior to 16.0.92 for FreePBX 16 and prior to 17.0.6 for FreePBX 17. Exploitation requires authentication with a known username but no further user interaction. [1]

Impact Analysis

This vulnerability can allow an authenticated attacker to upload malicious files to attacker-controlled paths on the server, potentially resulting in remote code execution. This means the attacker could execute arbitrary commands on the server, compromising confidentiality and integrity of the system. The impact is high severity with significant risks to data confidentiality and system integrity, although availability impact is low. [1]

Detection Guidance

Detection can focus on monitoring authenticated access to the FreePBX Endpoint Manager module, specifically looking for unusual or unauthorized use of the 'fwbrand' parameter that could indicate arbitrary file uploads. Since exploitation requires authentication, reviewing logs for suspicious authenticated sessions and file upload activities is key. Commands to check web server logs for POST requests to the Endpoint Manager with the 'fwbrand' parameter could be used, for example: `grep 'fwbrand' /var/log/httpd/access_log` or `grep 'fwbrand' /var/log/apache2/access.log`. Additionally, scanning for unexpected or newly created files in directories accessible by the web server may help detect uploaded webshells. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating the FreePBX Endpoint Manager module to version 16.0.92 or later for FreePBX 16, or version 17.0.6 or later for FreePBX 17, where the vulnerability is patched. Additionally, restrict access to the Admin Control Panel (ACP) by removing unauthorized users and firewall the HTTP/HTTPS/GraphQL ports of the FreePBX ACP to limit exposure. These actions reduce the risk of exploitation by limiting attacker access and applying the security fix. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61678. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart