FreePBX has released security patches addressing multiple critical vulnerabilities, including SQL injection (SQLi), arbitrary file upload, and an authentication bypass (AUTHTYPE bypass) flaw. These vulnerabilities could collectively enable remote code execution (RCE) on affected systems.

Details of the Vulnerabilities

The patches specifically target a critical SQL injection vulnerability that could allow attackers to manipulate database queries. Additionally, an arbitrary file upload flaw permitted the uploading of malicious files, while an AUTHTYPE bypass could circumvent authentication mechanisms, providing unauthorized access.

Risk of Remote Code Execution

The combination and severity of these vulnerabilities present a significant risk of remote code execution, allowing attackers to take full control of affected FreePBX installations. Users and administrators of FreePBX systems are urged to apply these security updates immediately to protect their systems from potential exploitation and maintain the integrity of their VoIP infrastructure.

Source: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html