CVE-2025-57819

CriticalCISA KEVActive ExploitationPublic PoC

Published: 28 August 2025

Published

28 August 2025

Modified

24 October 2025

KEV Added

29 August 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.7673 99.0th percentile

Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57819 is a critical-severity SQL Injection (CWE-89) vulnerability in Sangoma Freepbx. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching of affected FreePBX versions 15.0.66, 16.0.89, and 17.0.3 to fix the sanitization and authentication bypass flaws.

SI-10 Information Input Validation good match

prevent

Addresses insufficient sanitization of user-supplied data by validating and sanitizing inputs to prevent SQL injection leading to database manipulation.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to block unauthenticated access to the FreePBX Administrator interface, countering the authentication bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1053.003 Cron Execution

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unauthenticated access via SQL injection enables arbitrary DB manipulation and RCE (T1190), demonstrated by deploying web shells (T1505.003), adding cron jobs (T1053.003), and creating local accounts (T1136.001).

NVD Description

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has…

been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

Deeper analysisAI

CVE-2025-57819 is a critical vulnerability in FreePBX, an open-source web-based graphical user interface for managing PBX systems. It affects FreePBX 15, 16, and 17 endpoints due to insufficiently sanitized user-supplied data, enabling unauthenticated access to the FreePBX Administrator interface. This flaw allows arbitrary database manipulation and remote code execution, as classified under CWE-89 (SQL Injection) and CWE-288 (Authentication Bypass). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated attackers with network access can exploit this vulnerability without requiring privileges, user interaction, or special conditions. Exploitation grants high-impact access to manipulate the database arbitrarily and execute remote code on the affected endpoint, potentially leading to full system compromise, data exfiltration, or further lateral movement within the network.

The vulnerability has been addressed in patched endpoint versions 15.0.66, 16.0.89, and 17.0.3. FreePBX community advisories urge immediate lockdown of administrator access, with detailed guidance available via their forum announcement. Additional resources include GitHub security advisories from FreePBX and WatchTowr Labs, which provide technical details and proof-of-concept information.

This CVE appears in CISA's Known Exploited Vulnerabilities Catalog, signaling real-world exploitation activity. Security practitioners should prioritize patching and network segmentation for FreePBX deployments.

Details

CWE(s): CWE-89 CWE-288
KEV Date Added: 29 August 2025

Affected Products

sangoma

freepbx

15.0 — 15.0.66 · 16.0 — 16.0.89 · 17.0 — 17.0.3

CVEs Like This One

CVE-2026-28284Same product: Sangoma Freepbx

CVE-2026-28210Same product: Sangoma Freepbx

CVE-2025-66039Same product: Sangoma Freepbx

CVE-2024-58294Same product: Sangoma Freepbx

CVE-2026-28209Same product: Sangoma Freepbx

CVE-2025-55210Same product: Sangoma Freepbx

CVE-2026-28287Same product: Sangoma Freepbx

CVE-2025-64328Same vendor: Sangomaboth on KEV

CVE-2025-25181Shared CWE-89both on KEV

CVE-2024-57520Same vendor: Sangoma

References

https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
Issue Tracking, Vendor Advisory · security-advisories@github.com
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h
Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-57819
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0