CVE-2025-66039 | THREATINT

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

PUBLISHED Reserved 2025-11-21 | Published 2025-12-09 | Updated 2025-12-10 | Assigner GitHub_M

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-287: Improper Authentication

Product status

< 16.0.44

affected

>= 17.0.1, < 17.0.23

affected

References

github.com/...orting/security/advisories/GHSA-9jvh-mv6x-w698

github.com/...ommit/04224253156543cd9932b90458660b2f19fc0e35

www.freepbx.org/watch-what-we-do-with-security-fixes-👀

cve.org (CVE-2025-66039)

nvd.nist.gov (CVE-2025-66039)

Download JSON