CVE-2025-61678
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freepbx | endpoint_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61678 is an authenticated arbitrary file upload vulnerability in the FreePBX Endpoint Manager module. It specifically affects the 'fwbrand' parameter, which allows an attacker with valid credentials to change the file path and upload arbitrary files, including potentially a webshell. This can lead to remote code execution on the server. The vulnerability affects FreePBX versions prior to 16.0.92 for FreePBX 16 and prior to 17.0.6 for FreePBX 17. Exploitation requires authentication with a known username but no further user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to upload malicious files to attacker-controlled paths on the server, potentially resulting in remote code execution. This means the attacker could execute arbitrary commands on the server, compromising confidentiality and integrity of the system. The impact is high severity with significant risks to data confidentiality and system integrity, although availability impact is low. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring authenticated access to the FreePBX Endpoint Manager module, specifically looking for unusual or unauthorized use of the 'fwbrand' parameter that could indicate arbitrary file uploads. Since exploitation requires authentication, reviewing logs for suspicious authenticated sessions and file upload activities is key. Commands to check web server logs for POST requests to the Endpoint Manager with the 'fwbrand' parameter could be used, for example: `grep 'fwbrand' /var/log/httpd/access_log` or `grep 'fwbrand' /var/log/apache2/access.log`. Additionally, scanning for unexpected or newly created files in directories accessible by the web server may help detect uploaded webshells. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the FreePBX Endpoint Manager module to version 16.0.92 or later for FreePBX 16, or version 17.0.6 or later for FreePBX 17, where the vulnerability is patched. Additionally, restrict access to the Admin Control Panel (ACP) by removing unauthorized users and firewall the HTTP/HTTPS/GraphQL ports of the FreePBX ACP to limit exposure. These actions reduce the risk of exploitation by limiting attacker access and applying the security fix. [1]