CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-66039

CVSS 9.3v4.0pub. 2025-12-09upd. 2026-02-02

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Sangoma Freepbx

    APP
    Sangoma
    < 16.0.4417.0.1 – 17.0.23 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-57819CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Krytyczna podatność RCE i SQL injection w Sangoma FreePBX (bez uwierzytelnienia)

CVE-2019-19006CRITICAL9.8⚠ KEVten sam produkt

Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Contr...

CVE-2026-46376CRITICAL9.3PL ✓ten sam produkt

FreePBX UCP: dostęp bez uwierzytelnienia przez wbudowane dane logowania

CVE-2021-45461CRITICAL9.8ten sam produkt

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, a...

CVE-2020-10666CRITICAL9.8ten sam produkt

The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allo...