CVE-2025-57819
- Source
- https://cve.org/CVERecord?id=CVE-2025-57819
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57819.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-57819
- Aliases
-
- GHSA-m42g-xg4c-5f3h
- Published
- 2025-08-28T16:45:18.749Z
- Modified
- 2026-03-13T03:35:11.923294Z
- Severity
-
- 10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE
- Details
-
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
- Database specific
{ "cwe_ids": [ "CWE-288", "CWE-89" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57819.json" }- References
-
- https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57819.json
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h
- https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819
- https://nvd.nist.gov/vuln/detail/CVE-2025-57819
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-57819
Affected packages
Git /
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "15.0"
},
{
"fixed": "15.0.66"
}
]
},
{
"events": [
{
"introduced": "16.0"
},
{
"fixed": "16.0.89"
}
]
},
{
"events": [
{
"introduced": "17.0"
},
{
"fixed": "17.0.3"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57819.json"