VDB
CVE-2025-57819
CVE-2025-57819
PUBLISHED
KEV
CVSS 10 CRITICAL
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
EPSS 76.95% · 99.0th percentile
Risk Scores
CVSS 4.0
10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS Score
76.95%
99.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| FreePBX | endpoint | < 15.0.66, < 16.0.89, < 17.0.3 |
| sangoma | freepbx | 15.0, 17.0, 16.0 |
Timeline
- Mar 8, 2024 CrowdSec Sighting
- Mar 8, 2024 CrowdSec Sighting
- Mar 10, 2024 CrowdSec Sighting
- Apr 12, 2024 CrowdSec Sighting
- Apr 24, 2024 CrowdSec Sighting
- Apr 25, 2024 CrowdSec Sighting
- May 30, 2024 CrowdSec Sighting
- May 31, 2024 CrowdSec Sighting
- Jun 17, 2024 CrowdSec Sighting
- Jul 3, 2024 CrowdSec Sighting
- Jul 9, 2024 CrowdSec Sighting
- Aug 1, 2024 CrowdSec Sighting
References
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h url
- https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203 url
- https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819 exploit
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-57819 url