CVE-2025-61678

CVE-2025-61678 is a high-severity vulnerability with a CVSS 4.0 base score of 8.6. Its EPSS exploit-prediction score of 50% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-434.

Key facts

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

Frequently asked questions

What is CVE-2025-61678?
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitrary file upload vulnerability affecting the fwbrand parameter. The fwbrand parameter allows an attacker to change the file path. Combined, these issues can result in a webshell being uploaded. Authentication with a known username is required to exploit this vulnerability. Successful exploitation allows authenticated users to upload arbitrary files to attacker-controlled paths on the server, potentially leading to remote code execution. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
How severe is CVE-2025-61678?
CVE-2025-61678 has a CVSS 4.0 base score of 8.6, rated high severity.
Is CVE-2025-61678 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 50% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-61678?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2025-61678 have an EU (EUVD) identifier?
Yes. CVE-2025-61678 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-34456.
When was CVE-2025-61678 published?
CVE-2025-61678 was published on 2025-10-14 and last updated on 2026-06-17.

References

Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities

Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →