SB2025082906 - SQL injection in FreePBX

Description

This security bulletin contains information about 1 vulnerability.

1) SQL injection (CVE-ID: CVE-2025-57819)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient sanitization of user-supplied data within the endpoint module. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands, leading to system compromise.

Note, the vulnerability is being actively exploited in the wild since August 21, 2025.

Remediation

Install update from vendor's website.

References

• https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
• https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h