CVE-2025-59056 MEDIUM

CVE-2025-59056: FreePBX vulnerable to unauthenticated Denial of Service

Vendor Freepbx
Product framework
Weakness CWE-22 · Path traversal
Published September 15, 2025
Last update February 13, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:L/U:Red

What the vulnerability does

01Description

FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables, which is where most modules store their configuration. This vulnerability is fixed in 15.0.38, 16.0.41, and 17.0.21.

Key dates

02Disclosure timeline

September 15, 2025 CVE published
February 13, 2026 Record updated