CVE-2025-61678 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Endpoint Manager module of FreePBX, a popular open-source PBX telephony system. The flaw exists in versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17. It involves the fwbrand parameter, which is improperly validated and allows authenticated users to manipulate the file path during file uploads. This manipulation enables attackers to upload arbitrary files, including malicious webshells, to locations on the server that they control. Since the vulnerability requires authentication with a known username but no additional user interaction, it is exploitable by insiders or attackers who have obtained valid credentials. Successful exploitation can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system. The CVSS 4.0 base score is 8.6 (high), reflecting the network attack vector, low attack complexity, and high impact on confidentiality and integrity. The vulnerability has been patched in FreePBX versions 16.0.92 and 17.0.6, and users are strongly advised to upgrade. No known exploits have been reported in the wild yet, but the potential impact on telephony infrastructure is significant given the critical role of FreePBX in enterprise communications.

The vulnerability allows authenticated attackers to upload arbitrary files, including webshells, enabling remote code execution on FreePBX servers. This can lead to full system compromise, unauthorized access to sensitive telephony data, interception or manipulation of calls, disruption of telephony services, and lateral movement within the network. Organizations relying on FreePBX for voice communications, especially those in sectors like finance, healthcare, government, and large enterprises, face risks of operational downtime, data breaches, and reputational damage. The ability to upload files to attacker-controlled paths increases the risk of persistent backdoors and further exploitation. Since FreePBX is often exposed to internal networks or VPNs, attackers with stolen credentials or insider access can exploit this vulnerability to escalate privileges and compromise critical infrastructure.

1. Immediately upgrade FreePBX Endpoint Manager to version 16.0.92 or later for FreePBX 16, or version 17.0.6 or later for FreePBX 17 to apply the official patch. 2. Restrict access to the Endpoint Manager module to trusted administrators only, using network segmentation and strong authentication mechanisms such as multi-factor authentication (MFA). 3. Monitor logs for unusual file upload activity or changes to the fwbrand parameter to detect potential exploitation attempts. 4. Implement application-layer firewalls or web application firewalls (WAFs) with rules to detect and block suspicious file uploads or path traversal attempts. 5. Regularly audit user accounts and credentials to ensure no unauthorized access is possible, and enforce strong password policies. 6. Conduct periodic security assessments and penetration testing focused on telephony infrastructure to identify and remediate similar vulnerabilities. 7. Backup configuration and system data regularly to enable recovery in case of compromise.