Path: blob/master/documentation/modules/auxiliary/gather/freepbx_custom_extension_injection.md
31151 views
Vulnerable Application
FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use VoIP to make and receive phone calls. Versions prior to 16.0.44, 16.0.92 and 17.0.6, 17.0.23 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61675, in the context of this module. The versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an unauthenticated SQL injection attack that creates a new administrative user.
To setup the environment, perform minimal installation from here. Note that Authorization Type needs to be set to webserver:
Log into FreePBX Administration
Settings -> Advanced Settings
Change Authorization Type to webserver
Finally, the FreePBX needs to be activated to access vulnerable APIs:
Log into FreePBX Administraton
Admin -> System Admin
Activate instance
Verification Steps
Install FreePBX
Start msfconsole
Do:
use auxiliary/gather/freepbx_custom_extension_injectionDo:
set RHOSTS [target IP address]Do:
set USERNAME [FreePBX user]Do:
set NEW_USERNAME [new username]Do:
set NEW_PASSWORD [new password]Do:
run
Options
NEW_USERNAME
Username for new administrative user.
NEW_PASSWORD
Password for new administrative user.
USERNAME
Performing authentication bypass requires the username of an existing user.