CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-57819

CVSS 10.0v4.0pub. 2025-08-28upd. 2025-10-24

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

🤖 AI Analysis
How it works

The vulnerability results from insufficient sanitization of user-supplied data (CWE-89 – SQL injection, CWE-288 – authentication mechanism bypass). An attacker without any credentials can send a specially crafted request to FreePBX endpoints, gaining access to the administrator panel. Subsequently, arbitrary database manipulation and remote code execution (RCE) on the server become possible.

Impact

An attacker can gain full control of the system — from arbitrary database modifications to remote code execution (RCE) on the server hosting FreePBX.

Mitigation & patch

FreePBX must be immediately updated to version 15.0.66, 16.0.89, or 17.0.3 depending on the branch in use. In accordance with the manufacturer's recommendations, access to the FreePBX administrator interface should also be restricted to trusted IP addresses (firewall, VPN, or ACL).

Who is affected

Sangoma FreePBX in versions 15, 16, and 17 (specifically endpoints before versions 15.0.66, 16.0.89, and 17.0.3).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Sangoma Freepbx

    APP
    Sangoma
    15.0 – 15.0.66 (bez)16.0 – 16.0.89 (bez)17.0 – 17.0.3 (bez)

CISA KEV — detailsi

Vendori
Sangoma
Producti
FreePBX
Added to KEVi
August 29, 2025
Remediation deadline (US Federal)i
September 19, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 19 września 2025
Tags
RCESQLi
CWE
References

Related vulnerabilities

CVE-2019-19006CRITICAL9.8⚠ KEVten sam produkt

Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Contr...

CVE-2026-46376CRITICAL9.3PL ✓ten sam produkt

FreePBX UCP: dostęp bez uwierzytelnienia przez wbudowane dane logowania

CVE-2025-66039CRITICAL9.3PL ✓ten sam produkt

FreePBX Endpoint Manager — pominięcie uwierzytelnienia (Auth Bypass)

CVE-2021-45461CRITICAL9.8ten sam produkt

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, a...

CVE-2020-10666CRITICAL9.8ten sam produkt

The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allo...