Cyber Resilience

CVE-2025-61678

High

Published: 14 October 2025

Published
14 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1297 94.2th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61678 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

FreePBX Endpoint Manager, a module for managing telephony endpoints in FreePBX systems, contains an authenticated arbitrary file upload vulnerability in versions prior to 16.0.92 for FreePBX 16 and prior to 17.0.6 for FreePBX 17. The flaw centers on the fwbrand parameter, which permits an attacker to alter the destination file path and thereby upload a webshell. The issue is tracked as CWE-434 and carries a CVSS 4.0 score of 8.6.

An attacker who possesses valid credentials for a known username can exploit the parameter manipulation to place arbitrary files, including executable code, at attacker-chosen locations on the server. Successful exploitation grants the ability to achieve remote code execution on the affected FreePBX instance.

The referenced GitHub Security Advisory GHSA-7p8x-8m3m-58j9 states that the vulnerability has been resolved in Endpoint Manager 16.0.92 and 17.0.6; administrators should apply these updates to eliminate the file-upload vector.

EPSS for the CVE rose from lower values after disclosure to a peak of 0.2559 on 2026-02-18 before receding to the current 0.1297, indicating that exploitation interest increased in the months following publication.

EU & UK References

Vulnerability details

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability…

more

affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References