FreePBX RCE Patches: What to Fix and How AI Helps

AI in Cybersecurity••By 3L3C

FreePBX patched SQLi, file upload, and AUTHTYPE bypass flaws that can lead to RCE. Learn what to fix now—and how AI speeds detection and response.

FreePBXVoIP SecurityRCEVulnerability ManagementAI Security OperationsAuthentication Bypass
Share:

Featured image for FreePBX RCE Patches: What to Fix and How AI Helps

FreePBX RCE Patches: What to Fix and How AI Helps

Most orgs treat VoIP systems like plumbing: essential, mostly invisible, and rarely audited until something floods the basement. FreePBX just proved why that’s risky.

FreePBX released fixes for multiple vulnerabilities—SQL injection, arbitrary file upload, and an AUTHTYPE-based authentication bypass—that can chain into remote code execution (RCE) under real-world configurations. If you run FreePBX on-prem, in a hosted environment, or as part of a broader unified communications stack, this isn’t “just another patch note.” It’s a reminder that voice infrastructure is still infrastructure—and attackers know it.

This post is part of our AI in Cybersecurity series, and I’m going to take a stance: if your patching and detection process can’t move fast enough for vulnerabilities like these, you need automation (and yes, AI) in the loop. Not as magic. As muscle.

What happened: three FreePBX flaws that can end in RCE

FreePBX patched three major issues reported by Horizon3.ai. The important part isn’t the acronyms—it’s the attacker paths they create.

CVE-2025-61675: authenticated SQL injection across multiple endpoints

Answer first: SQL injection in admin-facing endpoints can turn “someone got a low-priv login” into “someone rewrote your system’s truth.”

This set of vulnerabilities includes numerous authenticated SQL injection issues across endpoints tied to device and firmware management (e.g., basestation/model/firmware/custom extension). With 11 affected parameters, an attacker who’s already authenticated can potentially read and write to the underlying database.

Why that matters in PBX land:

  • The database isn’t just call logs—it can contain user accounts, permissions, endpoint configuration, routing rules, and integration secrets.
  • SQL write access can be used to create or elevate users, change auth settings, or prep the system for a second-stage payload.

SQLi is old, but it keeps working because it attacks the part of your stack that many defenders still trust implicitly: data.

CVE-2025-61678: authenticated arbitrary file upload via firmware endpoint

Answer first: file upload bugs are one of the shortest paths to RCE—because they turn HTTP into a deployment pipeline.

This vulnerability allows an authenticated attacker to upload arbitrary files via a firmware upload endpoint. In the reported exploit path, that means uploading a PHP web shell and executing commands on the FreePBX host.

A detail defenders should pay attention to: the report notes that in some cases a valid username may not be required for certain endpoints once session artifacts (like PHPSESSID) are in play. Practically, that increases the blast radius of:

  • stolen cookies/sessions
  • misconfigured reverse proxies
  • shared admin credentials
  • exposed management interfaces

If you’ve ever said “it’s fine, only admins can reach that page,” this class of bug is why that assumption breaks.

CVE-2025-66039: AUTHTYPE “webserver” authentication bypass

Answer first: when authentication is delegated to “the webserver,” one misconfiguration can become a front-door key.

This issue occurs when FreePBX’s Authorization Type (AUTHTYPE) is set to webserver. Under that configuration, an attacker can forge an Authorization header and gain access to the Admin Control Panel.

Two nuances matter:

  1. Default isn’t vulnerable, but the option can be exposed if specific “advanced settings” toggles are enabled (friendly name + readonly settings + override readonly settings).
  2. Once enabled, an attacker can potentially insert a malicious user into the ampusers table—functionally similar to prior FreePBX account manipulation issues.

FreePBX also removed the authentication provider choice from the UI and shifted it to CLI configuration via fwconsole, which is a strong signal that the project considers this setting too easy to misuse.

Patch status: which versions fix what (and why timing matters)

Answer first: your priority isn’t “patch eventually”—it’s “get past the fixed versions before the exploit wave hits your sector.”

FreePBX fixed these issues across different release lines:

  • CVE-2025-61675 (SQLi) and CVE-2025-61678 (file upload)
    • Fixed in 16.0.92 and 17.0.6 (fix date: Oct 14, 2025)
  • CVE-2025-66039 (AUTHTYPE bypass)
    • Fixed in 16.0.44 and 17.0.23 (fix date: Dec 9, 2025)

The uncomfortable reality: December is when a lot of teams run on skeleton crews. Change freezes are common. Attackers also know that.

If your PBX is internet-exposed (even “temporarily”) or reachable via VPN credentials that get phished, these dates are not trivia—they’re a countdown.

Why PBX vulnerabilities are a favorite: identity, exposure, and “forgotten” assets

Answer first: PBX platforms get attacked because they combine admin interfaces, credentials, and network adjacency—and they’re often under-monitored.

FreePBX sits in a weird spot. It’s mission-critical, but many security programs don’t treat it with the same rigor as endpoints or cloud workloads. That creates three predictable gaps.

1) Admin panels that aren’t treated like Tier-0 systems

If an attacker gets FreePBX admin access, they’re not just placing calls. They can:

  • create new users and persistence
  • change call routing (fraud + disruption)
  • access voicemail (sensitive info)
  • pivot into the internal network (PBX often has broad reach)

2) “Legacy” auth modes that survive longer than anyone remembers

The webserver AUTHTYPE option reads like a legacy compatibility feature—and those are exactly the features that quietly become liabilities. Legacy modes are also hard to reason about because they depend on external components (reverse proxy, auth headers, webserver modules).

3) Patch lag due to operational fear

Voice systems have reputational gravity. Nobody wants to be the person who “broke phones.” So patches get delayed.

But in my experience, the real risk isn’t the patch—it’s the unplanned outage when an attacker uses your PBX as a beachhead.

Where AI-powered cybersecurity actually helps (and where it doesn’t)

Answer first: AI helps most in the “time gap” between disclosure and remediation: detection, prioritization, and containment.

A vulnerability disclosure creates a predictable race:

  1. defenders inventory and patch
  2. attackers scan, fingerprint versions/configs, and exploit

AI doesn’t replace patching. It helps you move faster and make fewer bad decisions under time pressure.

AI for exposure discovery: finding FreePBX you forgot you had

The fastest fix starts with knowing what exists. AI-assisted asset discovery and attack surface management can:

  • correlate DNS, certificates, service banners, and traffic patterns to flag PBX-like systems
  • identify “shadow IT” voice instances spun up for branch offices, labs, or temporary call centers
  • detect unexpected admin paths exposed through proxies

If you can’t answer “how many FreePBX instances do we run?” within an hour, you don’t have a patching problem—you have an inventory problem.

AI for prioritization: treating RCE paths like emergencies, not tickets

Most teams still triage by CVSS and vendor severity. That’s not enough.

AI-driven vulnerability prioritization is valuable when it includes:

  • internet exposure (is it reachable?)
  • auth context (is there an auth bypass? are creds widely shared?)
  • exploitability signals (scanning patterns, proof-of-concept traits, attacker chatter)
  • business context (is it in call centers during holiday peak?)

For FreePBX, the right stance is simple: anything that can chain to RCE on a management plane should be treated as high-urgency operational risk, even if the initial step is “authenticated.”

AI for detection: catching auth bypass and web shell behavior

These FreePBX issues create behaviors defenders can actually watch for.

An AI-assisted SOC platform (paired with solid logging) can detect:

  • anomalous Authorization header patterns (format, timing, source diversity)
  • admin panel access from unusual geographies or impossible travel
  • sudden creation of new admin users or changes in ampusers
  • suspicious POST activity to firmware upload endpoints
  • new executable files in web directories or unusual PHP execution paths

The point isn’t that AI recognizes “CVE-2025-66039.” The point is it recognizes the shape of the attack, even when the specific exploit changes.

AI for response: shrinking time-to-containment

Once exploitation starts, speed beats elegance. AI-assisted response can:

  • automatically isolate the host or restrict inbound paths to admin interfaces
  • revoke sessions and rotate credentials tied to PBX management
  • generate incident summaries for IT/telephony teams (so security isn’t translating under fire)

If your incident response plan for PBX is “call the voice admin and hope,” you’re going to lose hours you don’t have.

Practical action plan: what to do this week

Answer first: patch, validate auth mode, and add monitoring around the exact paths attackers use.

Here’s a practical checklist you can run with minimal debate.

1) Patch to fixed versions—and verify, don’t assume

  • Upgrade beyond the fixed versions for your branch (16.x or 17.x)
  • Confirm the running version and that the web UI and modules updated as expected
  • Reboot if required by your environment and change control

2) Eliminate risky AUTHTYPE configurations

FreePBX’s own guidance is clear:

  • Set Authorization Type to usermanager
  • Set Override Readonly Settings to No
  • Apply configuration and reboot to drop rogue sessions

Treat any discovered webserver AUTHTYPE usage as a security finding. If it’s “needed,” require a written rationale and compensating controls.

3) Add “cheap” detection around the known attacker routes

Even if you don’t have fancy tools, you can still be smart:

  • log and alert on admin login events and new user creation
  • monitor requests to firmware upload endpoints
  • watch for new or modified files in web-accessible directories
  • baseline normal admin panel source IPs (then alert on outliers)

4) Assume compromise if you were exposed and misconfigured

If webserver AUTHTYPE was enabled inadvertently, treat that as potential exposure. Look for:

  • unexpected admin users
  • new scheduled tasks or services
  • outbound connections from the PBX host
  • web shells and strange PHP files

Don’t stop at “phones still work.” Attackers love systems that keep working.

Where this fits in the AI in Cybersecurity series

FreePBX is a clean case study because it shows the modern pattern: multiple medium-to-high vulnerabilities that become critical when chained, plus configuration-dependent auth behavior that defenders overlook.

AI-powered threat detection and response earns its keep in that messy middle—when you’re juggling limited staff, holiday freezes, and a fast-moving exploit window. The goal isn’t to “use AI.” The goal is to reduce time-to-know and time-to-contain.

If you’re responsible for voice systems, here’s the question to end on: could your security stack spot an admin auth bypass attempt and a malicious firmware upload within minutes—before it turns into RCE and persistence?