CVE-2025-61678: CWE-434: Unrestricted Upload of File with Dangerous Type in FreePBX security-reporting
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
AI Analysis
Technical Summary
CVE-2025-61678 is an authenticated arbitrary file upload vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the FreePBX Endpoint Manager module, which manages telephony endpoints. The vulnerability exists in versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17. It stems from improper validation and control over the fwbrand parameter, which an authenticated user can manipulate to alter the file path where uploaded files are stored. This allows an attacker with valid credentials to upload arbitrary files, including malicious webshells, to attacker-controlled locations on the server. The consequence is potential remote code execution, enabling attackers to execute arbitrary commands, escalate privileges, or maintain persistent access. The vulnerability does not require user interaction beyond authentication and has a CVSS 4.0 base score of 8.6, indicating high severity. The flaw has been addressed in the specified patched versions, and no public exploits have been reported yet. The vulnerability is particularly critical in telephony environments where FreePBX is deployed, as compromise can disrupt communications and expose sensitive data.
Potential Impact
For European organizations, especially those operating VoIP and telephony infrastructure using FreePBX, this vulnerability poses a significant risk. Successful exploitation can lead to remote code execution, allowing attackers to gain control over telephony servers, intercept or manipulate calls, disrupt communications, and potentially pivot to other internal systems. This can affect confidentiality, integrity, and availability of critical communication services. Organizations in sectors such as telecommunications, government, finance, and healthcare that rely on FreePBX for internal or customer communications are particularly vulnerable. The requirement for authentication limits exposure to insiders or attackers who have obtained credentials, but credential theft or phishing could facilitate exploitation. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.
Mitigation Recommendations
1. Immediately upgrade FreePBX Endpoint Manager to version 16.0.92 or later for FreePBX 16, or version 17.0.6 or later for FreePBX 17 to apply the official patch. 2. Enforce strong authentication policies, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3. Restrict access to the FreePBX administrative interface to trusted networks and IP addresses using network segmentation and firewall rules. 4. Monitor logs for unusual file upload activity or changes to the fwbrand parameter. 5. Conduct regular audits of uploaded files and server directories to detect unauthorized files or webshells. 6. Implement application-layer protections such as web application firewalls (WAFs) to detect and block malicious upload attempts. 7. Educate administrators on the risks of credential phishing and enforce least privilege principles to limit the number of users with upload permissions. 8. Maintain up-to-date backups of configuration and system data to enable recovery in case of compromise.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
CVE-2025-61678: CWE-434: Unrestricted Upload of File with Dangerous Type in FreePBX security-reporting
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
AI-Powered Analysis
Technical Analysis
CVE-2025-61678 is an authenticated arbitrary file upload vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the FreePBX Endpoint Manager module, which manages telephony endpoints. The vulnerability exists in versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17. It stems from improper validation and control over the fwbrand parameter, which an authenticated user can manipulate to alter the file path where uploaded files are stored. This allows an attacker with valid credentials to upload arbitrary files, including malicious webshells, to attacker-controlled locations on the server. The consequence is potential remote code execution, enabling attackers to execute arbitrary commands, escalate privileges, or maintain persistent access. The vulnerability does not require user interaction beyond authentication and has a CVSS 4.0 base score of 8.6, indicating high severity. The flaw has been addressed in the specified patched versions, and no public exploits have been reported yet. The vulnerability is particularly critical in telephony environments where FreePBX is deployed, as compromise can disrupt communications and expose sensitive data.
Potential Impact
For European organizations, especially those operating VoIP and telephony infrastructure using FreePBX, this vulnerability poses a significant risk. Successful exploitation can lead to remote code execution, allowing attackers to gain control over telephony servers, intercept or manipulate calls, disrupt communications, and potentially pivot to other internal systems. This can affect confidentiality, integrity, and availability of critical communication services. Organizations in sectors such as telecommunications, government, finance, and healthcare that rely on FreePBX for internal or customer communications are particularly vulnerable. The requirement for authentication limits exposure to insiders or attackers who have obtained credentials, but credential theft or phishing could facilitate exploitation. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.
Mitigation Recommendations
1. Immediately upgrade FreePBX Endpoint Manager to version 16.0.92 or later for FreePBX 16, or version 17.0.6 or later for FreePBX 17 to apply the official patch. 2. Enforce strong authentication policies, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3. Restrict access to the FreePBX administrative interface to trusted networks and IP addresses using network segmentation and firewall rules. 4. Monitor logs for unusual file upload activity or changes to the fwbrand parameter. 5. Conduct regular audits of uploaded files and server directories to detect unauthorized files or webshells. 6. Implement application-layer protections such as web application firewalls (WAFs) to detect and block malicious upload attempts. 7. Educate administrators on the risks of credential phishing and enforce least privilege principles to limit the number of users with upload permissions. 8. Maintain up-to-date backups of configuration and system data to enable recovery in case of compromise.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-29T20:25:16.181Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68eea752bbec4fba96d79ee2
Added to database: 10/14/2025, 7:41:06 PM
Last enriched: 10/21/2025, 9:53:43 PM
Last updated: 11/28/2025, 2:02:34 PM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-12143: CWE-121 Stack-based Buffer Overflow in ABB Terra AC wallbox
MediumCVE-2023-48796: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache DolphinScheduler
HighCVE-2025-13771: CWE-23 Relative Path Traversal in Uniong WebITR
HighCVE-2025-13768: CWE-639 Authorization Bypass Through User-Controlled Key in Uniong WebITR
HighCVE-2025-13770: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Uniong WebITR
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.