CVE-2025-66039

Critical CVSS: 9.3

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Vendor

Sangoma

Product

Freepbx

CWE

CWE-287

Yayın Tarihi

2025-12-09 22:16:15

Güncelleme

2026-02-02 14:47:12

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Freepbx CRITICAL Sangoma 2025

Referanslar

https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50 https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698 https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80

Benzer Kayıtlar

High

CVE-2026-28287

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5,…

High

CVE-2026-28209

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5,…

High

CVE-2026-28210

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnera…

High

CVE-2026-28284

FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several aut…

Low

CVE-2025-55210

FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, F…

Low

CVE-2026-23738

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1…