CVE-2025-57819 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Sangoma FreePBX Authentication Bypass Vulnerability

Exploit added

August 29, 2025

Action due

September 19, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Known Affected Software Configurations

cpe:2.3:a:sangoma:freepbx:16.0.33:::::::*
cpe:2.3:a:sangoma:freepbx:16.0.37:::::::*
cpe:2.3:a:sangoma:freepbx:16.0.35:::::::*
cpe:2.3:a:sangoma:freepbx:16.0.38:::::::*
cpe:2.3:a:sangoma:freepbx:16.0.36:::::::*
cpe:2.3:a:sangoma:freepbx:16.0.39:::::::*
cpe:2.3:a:sangoma:freepbx:16.0.34:::::::*
cpe:2.3:a:sangoma:freepbx:16.0.32:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.3:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.8.1:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.5:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.14:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.4:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.19:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.8.4:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.25:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.8:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.6:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.3:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.19:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.17:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.12:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.33:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.18:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.15:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.31:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.12:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.3:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.13:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.7.2:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.9:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.10:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.1:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.10:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.39:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.37:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.28:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.7.7:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.34:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.26:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.32:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.21:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.2:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.2:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.14:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.16:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.1:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.20:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.13:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.11:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.22:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.4:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.8:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.10:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.1:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.13:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.16:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.22:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.8.2:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.40:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.8.3:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.43:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.9.1:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.11.1:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.18:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.2:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.11:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.21:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.7.4:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.15:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.7.5:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.24:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.24:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.27:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.41:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.30:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.44:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.29:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.6:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.23:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.1:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.7:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.35:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.10.4:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.38:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.36:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.7.6:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.9:::::::*
cpe:2.3:a:sangoma:freepbx:15.0.1.26:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.42:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.7:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.4:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.7.1:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.10.1:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.9:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.13.17:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.12.12:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.6:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.8:::::::*
cpe:2.3:a:sangoma:freepbx:14.0.16.5:::::::*

Details

Source:
NVD

Published:
August 28, 2025

Updated:
September 12, 2025

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined