CVE-2025-66039
FreePBX Endpoint Manager Allows Unauthenticated Logins to Administrator Control Panel via Forged Basic Auth Header
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.
| CWE | CWE-287 |
| Vendor | freepbx |
| Product | framework |
| Published | Dec 9, 2025 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for freepbx framework
Be the first to know when new unknown vulnerabilities affecting freepbx framework are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FreePBX / framework
< 16.0.44 >= 17.0.1, < 17.0.23
References
github.com: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698 github.com: https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50 freepbx.org: https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80