CVE-2025-66039 is an improper authentication vulnerability (CWE-287) found in the FreePBX Endpoint Manager's security-reporting module. FreePBX is a widely used open-source IP PBX system that manages telephony endpoints. The vulnerability arises specifically when the authentication type is configured as "webserver." Under this configuration, the system incorrectly associates any provided Authorization header value with a valid user session, bypassing the need for valid credentials. This means an attacker can craft a request with an arbitrary Authorization header and gain authenticated access as the targeted user without any authentication checks. The vulnerability affects FreePBX versions earlier than 16.0.44 and versions from 17.0.1 up to but not including 17.0.23. The flaw does not require any privileges or user interaction, and the attack can be performed remotely over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects a network attack vector with low complexity, no authentication, and no user interaction required, with high impact on confidentiality, integrity, and availability. While no public exploits have been reported yet, the critical nature of the flaw and the widespread use of FreePBX in enterprise telephony environments make it a significant threat. The vulnerability allows attackers to fully compromise telephony endpoint management, potentially enabling interception, manipulation, or denial of telephony services. Patches fixing this issue were released in versions 16.0.44 and 17.0.23.

For European organizations, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of telephony communications. FreePBX is commonly deployed in enterprises, government agencies, and service providers across Europe to manage VoIP endpoints and telephony infrastructure. Exploitation could allow attackers to impersonate users, intercept calls, manipulate call routing, or disrupt telephony services, impacting business operations and sensitive communications. The ability to bypass authentication without user interaction increases the risk of automated or targeted attacks. Critical sectors such as finance, healthcare, public administration, and telecommunications could face operational disruptions, data breaches, and regulatory compliance issues (e.g., GDPR violations due to compromised communications). The lack of known exploits currently provides a window for proactive patching, but the critical severity score underscores the urgency for European organizations to remediate vulnerable systems promptly.

European organizations should immediately identify all FreePBX Endpoint Manager deployments and verify their versions. Systems running versions prior to 16.0.44 or between 17.0.1 and 17.0.23 must be upgraded to 16.0.44 or 17.0.23 or later to remediate the vulnerability. Where immediate patching is not feasible, organizations should restrict network access to the FreePBX management interfaces, ideally limiting access to trusted internal networks or VPNs. Implement network-level controls such as firewall rules and segmentation to isolate telephony management systems from untrusted networks. Monitoring and logging of access attempts to the security-reporting module should be enhanced to detect anomalous Authorization header usage or unauthorized access attempts. Additionally, organizations should review and harden authentication configurations, avoiding the use of the vulnerable "webserver" authentication type if possible. Regular vulnerability scanning and penetration testing focused on telephony infrastructure should be conducted to detect similar weaknesses. Finally, ensure incident response plans include scenarios for telephony system compromise to minimize operational impact.