CVE-2025-66039NVD

Vulnerability Summary

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Severity Level

CRITICAL(9.3)

Published Date

Dec 9, 2025

Last Modified

Dec 9, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-287: Improper Authentication ↗

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVSS v4.0 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

External References

https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698
https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80

Critical Alert

CVE Watchtower

CVE-2025-66039NVD

Vulnerability Summary

External References