CVE-2025-61675 identifies an authenticated SQL injection vulnerability in the FreePBX Endpoint Manager module, specifically affecting versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) within multiple parameters used for configuring basestation, model, firmware, and custom extensions. An attacker with valid credentials can exploit this flaw to inject arbitrary SQL queries into the backend database. This can lead to unauthorized disclosure of sensitive information, modification of database contents, or potentially full compromise of the telephony management system. The vulnerability does not require user interaction but does require authentication with a known username, which lowers the barrier for insider threats or attackers who have obtained credentials through other means. The issue has been addressed by patches in versions 16.0.92 and 17.0.6. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, high impact on confidentiality and integrity, and limited impact on availability. No known exploits in the wild have been reported as of the publication date.

For European organizations, this vulnerability poses significant risks due to the critical role FreePBX plays in telephony endpoint management. Exploitation can lead to unauthorized access to sensitive configuration data, call routing information, or user credentials stored in the database. Attackers could modify configurations to disrupt telephony services, intercept calls, or create backdoors for persistent access. This can result in operational downtime, data breaches involving personal or corporate communications, and regulatory non-compliance under GDPR. Organizations relying on FreePBX for unified communications, especially in sectors like finance, healthcare, and government, face heightened risks. The requirement for authentication means insider threats or compromised credentials are primary attack vectors, emphasizing the need for strong access controls. The absence of known exploits reduces immediate risk but does not eliminate the threat due to the high severity and ease of exploitation once credentials are obtained.

1. Immediately upgrade FreePBX Endpoint Manager to version 16.0.92 or later for FreePBX 16, or version 17.0.6 or later for FreePBX 17 to apply the official patches. 2. Enforce strict access controls on the FreePBX management interface, limiting access to trusted IP addresses and using VPNs or zero-trust network access solutions. 3. Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 4. Regularly audit user accounts and remove or disable unused or suspicious accounts to minimize insider threat vectors. 5. Monitor database query logs and application logs for unusual or unauthorized SQL queries indicative of injection attempts. 6. Conduct regular security assessments and penetration testing focused on the telephony infrastructure. 7. Educate administrators on secure configuration practices and the importance of timely patching. 8. Consider network segmentation to isolate telephony management systems from general corporate networks to limit lateral movement.