[Security Vulnerability Alert] Sangoma's FreePBX telephone management system has a critical cybersecurity vulnerability (CVE-2025-66039).

[Security Vulnerability Alert] Sangoma's FreePBX telephone management system has a critical cybersecurity vulnerability (CVE-2025-66039).

2025/12/23 ～ 2026/6/23

View Count：25

Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202512-00000008

[Content Description]
FreePBX is an open-source IP telephony management system from Sangoma, including features such as VoIP management, call forwarding, and conferencing. Recently, FreePBX issued a major cybersecurity announcement, indicating that its FreePBX Endpoint Manager module contains an authentication error vulnerability (CVE-2025-66039, CVSS 4.x: 9.3). If the authentication type is set to "webserver," the module has an authentication bypass vulnerability; if the value of the Authorization header is arbitrary, regardless of the validity of the credentials, the session will be redirected to the target user.

[Affected Platforms]
● FreePBX versions prior to 16.0.44
● FreePBX versions prior to 17.0.23

[Recommended Actions]
Please update to the following versions: FreePBX 16.0.44, FreePBX 17.0.23

[Reference]
https://www.twcert.org.tw/tw/cp-169-10582-80c21-1.html

[Security Vulnerability Alert] Sangoma's FreePBX telephone management system has a critical cybersecurity vulnerability (CVE-2025-66039).

2025/12/23 ～ 2026/6/23

View Count：25

Files

參考資料

【Back】

[Security Vulnerability Alert] Sangoma's FreePBX telephone management system has a critical cybersecurity vulnerability (CVE-2025-66039).

2025/12/23 ～ 2026/6/23

View Count：25

Files

system_update_alt參考資料

【Back】

參考資料