Critical FreePBX Flaw (CVE-2025-66039) Risks PBX Takeover via Authentication Bypass in ‘webserver’ Auth Mode
Ddos 
A critical security vulnerability has been discovered in FreePBX, the world’s most popular open-source PBX platform, potentially leaving thousands of phone systems vulnerable to complete takeover. Tracked as CVE-2025-66039, the flaw carries a critical CVSS score of 9.3, signaling an urgent need for administrators to audit their configurations immediately.
The vulnerability is a classic case of authentication bypass, but with a twist: it only triggers when a specific, often overlooked setting is enabled.
The issue lies within the Administrator Control Panel when the system is configured to use “webserver” as its authentication type. This setting, intended to offload authentication duties to the web server itself, contains a fatal logic error.
According to the advisory, “An authentication bypass vulnerability exists in the latest FreePBX versions when the authentication type is set to ‘webserver'”.
Attackers can exploit this by sending a specially crafted HTTP request. “When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials” . In simpler terms, an attacker can simply tell the server “I am the admin,” and if this specific setting is active, the system believes them without checking a password.
The vulnerability affects FreePBX versions prior to 16.0.44 and 17.0.23.
While the “webserver” authentication mode is not the default for most installs, it is a configuration option that some administrators may have enabled for specific integration needs. If enabled, the risk is absolute: unauthorized access to the full administrative interface.
The FreePBX project has released patches in versions 16.0.44 and 17.0.23. However, for those who cannot update immediately, a critical configuration change can neutralize the threat.
Administrators should immediately switch the Authorization Type to “usermanager”. This can be done via the GUI or, for a faster fix, via the Command Line Interface (CLI):
To verify if your system is currently using the vulnerable setting, run:
The advisory also notes that “Proper firewalling can greatly assist in mitigating the effects of this issue,” serving as a reminder that administrative interfaces should never be exposed to the open internet.
Related Posts:
- Two New High-Severity Flaws in FreePBX Puts Admins and APIs at Risk
- Commvault Addresses Critical Webserver Vulnerability
- URGENT: Sangoma FreePBX Warns of Exploit, Urges Immediate Administrator Lockdown
- CRITICAL Zero-Day CVE-2025-57819 in FreePBX Is Under Active Attack (CVSS 10.0)
- Beyond HTML: The Hidden Danger of Phishing in HTTP Response Headers
Donate