FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
The vulnerability results from insufficient sanitization of user-supplied data (CWE-89 – SQL injection, CWE-288 – authentication mechanism bypass). An attacker without any credentials can send a specially crafted request to FreePBX endpoints, gaining access to the administrator panel. Subsequently, arbitrary database manipulation and remote code execution (RCE) on the server become possible.
An attacker can gain full control of the system — from arbitrary database modifications to remote code execution (RCE) on the server hosting FreePBX.
FreePBX must be immediately updated to version 15.0.66, 16.0.89, or 17.0.3 depending on the branch in use. In accordance with the manufacturer's recommendations, access to the FreePBX administrator interface should also be restricted to trusted IP addresses (firewall, VPN, or ACL).
Sangoma FreePBX in versions 15, 16, and 17 (specifically endpoints before versions 15.0.66, 16.0.89, and 17.0.3).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XSangoma Freepbx
APPSangoma15.0 – 15.0.66 (bez)16.0 – 16.0.89 (bez)17.0 – 17.0.3 (bez)
CISA KEV — detailsi
- Vendori
- Sangoma
- Producti
- FreePBX
- Added to KEVi
- August 29, 2025
- Remediation deadline (US Federal)i
- September 19, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.
Related vulnerabilities
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Contr...
FreePBX UCP: dostęp bez uwierzytelnienia przez wbudowane dane logowania
FreePBX Endpoint Manager — pominięcie uwierzytelnienia (Auth Bypass)
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, a...
The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allo...