QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66039

Published: Dec 9, 2025

Modified: Feb 26, 2026

PUBLISHED

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Vendor	Product	Versions
FreePBX	framework	affected `< 16.0.44` affected `>= 17.0.1, < 17.0.23`

Weaknesses (CWE)

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698

x_refsource_CONFIRM

https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50

x_refsource_MISC

https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.