CVE-2025-66039 CRITICAL

CVE-2025-66039: FreePBX Endpoint Manager Allows Unauthenticated Logins to Administrator Control Panel via Forged Basic Auth Header

Vendor Freepbx
Product framework
Weakness CWE-287 · Improper authentication
Published December 9, 2025
Last update February 26, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Key dates

02Disclosure timeline

December 9, 2025 CVE published
February 26, 2026 Record updated