CVE-2025-61678 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the FreePBX Endpoint Manager module, which manages telephony endpoints in FreePBX systems. The flaw exists in versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17. The vulnerability stems from insufficient validation of the fwbrand parameter, which controls the file path during file uploads. Authenticated users with a known username can exploit this by manipulating the fwbrand parameter to upload arbitrary files, including malicious webshells, to attacker-controlled locations on the server. This can lead to remote code execution, compromising the server’s confidentiality, integrity, and availability. The attack vector requires network access and valid credentials but does not require user interaction beyond authentication. The vulnerability has been publicly disclosed and assigned a CVSS 4.0 score of 8.6, indicating high severity. No known exploits are currently reported in the wild. The issue has been addressed in FreePBX Endpoint Manager versions 16.0.92 and 17.0.6, where proper validation and restrictions have been implemented to prevent arbitrary file uploads. Organizations running vulnerable versions should prioritize patching to mitigate risk.

For European organizations, this vulnerability poses a significant risk to telephony infrastructure, particularly those relying on FreePBX for endpoint management. Successful exploitation can lead to unauthorized remote code execution, allowing attackers to gain control over telephony servers, intercept or manipulate voice communications, disrupt services, or use compromised systems as a foothold for lateral movement within the network. This can result in data breaches, service outages, and reputational damage. Critical sectors such as telecommunications providers, call centers, government agencies, and enterprises with VoIP infrastructure are especially vulnerable. Given the widespread use of FreePBX in Europe, the potential impact includes disruption of essential communication services and exposure of sensitive communications data. The requirement for authentication limits exploitation to insiders or attackers who have obtained valid credentials, but this does not eliminate the risk, as credential compromise is common. The high CVSS score reflects the severe consequences of exploitation combined with relatively low attack complexity.

1. Immediately upgrade FreePBX Endpoint Manager to version 16.0.92 or 17.0.6 or later to apply the official patch addressing this vulnerability. 2. Restrict access to the Endpoint Manager module by enforcing strict role-based access controls and limiting user permissions to only trusted administrators. 3. Implement multi-factor authentication (MFA) for all accounts with access to FreePBX administrative interfaces to reduce the risk of credential compromise. 4. Monitor logs and file system changes for unusual file uploads or modifications, especially in directories accessible via the web server. 5. Employ network segmentation to isolate telephony infrastructure from general user networks, limiting exposure to potential attackers. 6. Conduct regular security audits and vulnerability scans on FreePBX systems to detect outdated versions or misconfigurations. 7. Educate administrators on the risks of credential reuse and phishing attacks to minimize the chance of unauthorized access. 8. Consider deploying web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting the fwbrand parameter or similar vectors.