CVE-2025-66039
Published: 09 December 2025
Summary
CVE-2025-66039 is a critical-severity Improper Authentication (CWE-287) vulnerability in Sangoma Freepbx. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the authentication bypass flaw by patching FreePBX Endpoint Manager to versions 16.0.44 or 17.0.23 directly prevents exploitation of CVE-2025-66039.
Requiring unique identification and authentication for organizational users prevents the arbitrary Authorization header from bypassing credentials in the Endpoint Manager module.
Enforcing approved authorizations ensures that manipulated Authorization headers do not grant unauthorized sessions to target users in FreePBX systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-66039 is an authentication bypass in the public-facing FreePBX Endpoint Manager web module, enabling remote unauthenticated exploitation for unauthorized access, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated…
more
with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.
Deeper analysisAI
CVE-2025-66039 is an authentication bypass vulnerability in the FreePBX Endpoint Manager module, which manages telephony endpoints in FreePBX systems. The flaw occurs when the authentication type is configured to "webserver," allowing an attacker to supply an arbitrary value in the Authorization HTTP header. This results in a valid session being associated with the target user, bypassing the need for legitimate credentials. Affected versions are those prior to 16.0.44 and 17.0.23, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-287 (Improper Authentication).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting a request with a manipulated Authorization header targeting a specific user, an attacker can impersonate that user and gain unauthorized access to the Endpoint Manager functionality. This enables full control over telephony endpoint configurations, potentially leading to high confidentiality, integrity, and availability impacts, such as reconfiguring devices, intercepting calls, or disrupting PBX operations.
Mitigation is available through upgrading to FreePBX Endpoint Manager versions 16.0.44 or 17.0.23, which address the issue as detailed in the project's GitHub security advisory (GHSA-9jvh-mv6x-w698) and a specific framework commit. FreePBX has also published guidance on their security practices in a related blog post, emphasizing prompt patching for exposed systems.
Details
- CWE(s)