SQL injection in FreePBX - CVE-2025-57819
Published: August 29, 2025 / Updated: October 31, 2025
Vulnerability identifier: #VU114554
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-57819
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: FreePBX
Affected software:
FreePBX
FreePBX
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient sanitization of user-supplied data within the endpoint module. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands, leading to system compromise.
Note, the vulnerability is being actively exploited in the wild since August 21, 2025.
How to mitigate CVE-2025-57819
Install updates from vendor's website.