216.73.216.6

CVE-2025-61678

· Published 14/10/2025 20:15 · Modified 14/10/2025 20:15

Labels: CVE-2025-61678 2025-10-14CVE-2025-61678CWE-434[email protected]

Essential information

Published
14/10/2025 20:15
Modified
14/10/2025 20:15
Author
Creator
CVSS
8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
freepbx / endpoint manager cpe:2.3:a:freepbx:endpoint_manager:16.0.0-16.0.91:*:*:*:*:*:*:*
freepbx / endpoint manager cpe:2.3:a:freepbx:endpoint_manager:17.0.0-17.0.5:*:*:*:*:*:*:*

References