CVE-2025-66039

EPSS 30.44%
Veröffentlicht 09.12.2025 21:32:03
Zuletzt bearbeitet 02.02.2026 14:47:12
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sangoma ≫ Freepbx Version < 16.0.44

Sangoma ≫ Freepbx Version >= 17.0.1 < 17.0.23

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	30.44%	0.966

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80

Vendor Advisory

Not Applicable

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698

Vendor Advisory

Mitigation

https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-66039

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66039

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66039

EUVD