CVE-2025-66039 is an authentication bypass vulnerability classified under CWE-287 affecting the FreePBX Endpoint Manager module, which is used to manage telephony endpoints within FreePBX systems. The vulnerability arises when the authentication type is configured as "webserver." In this configuration, the system improperly validates the Authorization header in HTTP requests. An attacker can provide an arbitrary value in the Authorization header, and the system will associate the session with the targeted user without verifying the credentials. This bypasses the authentication mechanism entirely, allowing unauthorized access to the management interface. The flaw affects FreePBX versions earlier than 16.0.44 and versions from 17.0.1 up to but not including 17.0.23. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical nature due to network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely. Although no public exploits have been observed in the wild, the potential for abuse is significant given the critical role of FreePBX in telephony infrastructure. The vendor has addressed the issue in versions 16.0.44 and 17.0.23, and users are strongly advised to upgrade to these or later versions to remediate the vulnerability.

For European organizations, this vulnerability poses a severe risk to telephony infrastructure security. Exploitation could allow attackers to gain unauthorized administrative access to the FreePBX Endpoint Manager, enabling them to manipulate telephony endpoints, intercept or redirect calls, disrupt voice services, or deploy further attacks within the network. This can lead to loss of confidentiality of sensitive communications, integrity violations through unauthorized configuration changes, and availability disruptions causing denial of telephony services. Organizations in sectors relying heavily on secure voice communications—such as government, finance, healthcare, and critical infrastructure—are particularly at risk. The ease of exploitation without authentication or user interaction increases the likelihood of attacks, potentially leading to significant operational and reputational damage. Additionally, compromised telephony systems can be leveraged for fraud, espionage, or as pivot points for broader network intrusions.

European organizations using FreePBX should immediately verify their version of the Endpoint Manager module and upgrade to version 16.0.44 or 17.0.23 or later to apply the official patch. Until patching is possible, restrict network access to the FreePBX management interfaces by implementing strict firewall rules limiting access to trusted IP addresses only. Employ network segmentation to isolate telephony management systems from general user networks and the internet. Monitor logs for suspicious Authorization header values or unusual access patterns indicative of exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block anomalous Authorization headers. Regularly audit telephony configurations and user accounts for unauthorized changes. Finally, maintain an incident response plan tailored to telephony infrastructure compromise scenarios to enable rapid containment and recovery.