CVE-2025-66039 is an improper authentication vulnerability (CWE-287) found in the FreePBX Endpoint Manager module, which is responsible for managing telephony endpoints within FreePBX systems. The vulnerability arises when the authentication method is configured as "webserver." Under this configuration, the system improperly associates a session with the target user if an Authorization header is provided, regardless of the validity of the credentials contained within that header. This means an attacker can craft arbitrary Authorization headers to bypass authentication controls entirely and gain unauthorized access to user sessions. The flaw affects FreePBX framework versions earlier than 16.0.44 and versions from 17.0.1 up to but not including 17.0.23. The vulnerability is remotely exploitable without requiring any privileges or user interaction, making it highly accessible to attackers. The CVSS v4.0 base score of 9.3 reflects the critical nature of this vulnerability, with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the potential for abuse is significant given the critical role of FreePBX in managing telephony endpoints. The issue has been addressed in FreePBX versions 16.0.44 and 17.0.23, where proper authentication validation has been restored. This vulnerability could allow attackers to manipulate telephony configurations, intercept or redirect calls, and disrupt communications services.

The impact of CVE-2025-66039 is severe for organizations relying on FreePBX for telephony endpoint management. Successful exploitation allows attackers to bypass authentication controls and assume the identity of any user, including administrators. This can lead to unauthorized access to sensitive telephony configurations, enabling interception, manipulation, or redirection of voice communications. Attackers could disrupt business communications, cause denial of service by misconfiguring endpoints, or use compromised systems as a foothold for further network intrusion. Confidentiality is compromised as call data and credentials may be exposed. Integrity is at risk due to unauthorized changes in telephony settings. Availability may be affected if endpoints are disabled or misconfigured. The vulnerability's ease of exploitation and lack of required authentication increase the likelihood of widespread attacks, potentially impacting enterprises, service providers, and critical infrastructure sectors globally.

To mitigate this vulnerability, organizations should immediately upgrade FreePBX Endpoint Manager to versions 16.0.44 or 17.0.23 or later, where the authentication bypass flaw is fixed. Until patches can be applied, restrict network access to the FreePBX management interface by implementing strict firewall rules limiting access to trusted IP addresses only. Employ network segmentation to isolate telephony management systems from general user networks and the internet. Enable and enforce strong authentication mechanisms outside of the vulnerable "webserver" authentication mode, if possible. Monitor logs for suspicious Authorization header values or unusual session activity indicative of exploitation attempts. Conduct regular security audits and vulnerability scans on telephony infrastructure. Additionally, consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous HTTP header manipulations targeting FreePBX endpoints. Maintain up-to-date backups of telephony configurations to enable rapid recovery if compromise occurs.