[VULNERABILITY ALERT] Critical Security Vulnerability in Sangoma's FreePBX Phone Management System (CVE-2025-66039)

• Subject: [VULNERABILITY ALERT] Critical Security Vulnerability in Sangoma's FreePBX Phone Management System (CVE-2025-66039)

• Content Description:
  • Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202512-00000008
  • FreePBX is an open-source IP phone management system by Sangoma, encompassing VOIP management, call forwarding, conferencing features, and more. Recently, FreePBX released a critical security advisory, stating that the FreePBX Endpoint Manager module contains an authentication bypass vulnerability (CVE-2025-66039, CVSS 4.x: 9.3). If the authentication type is set to “webserver”, the module allows for authentication bypass; if the value of the Authorization header is arbitrary, the session will be directed to the target user regardless of whether the credentials are valid.
• Affected Platforms:
  • FreePBX versions prior to 16.0.44 (exclusive)
  • FreePBX versions prior to 17.0.23 (exclusive)
• Recommended Actions:
  • Please update to the following versions: FreePBX version 16.0.44, FreePBX version 17.0.23
• Reference Material:
  • https://www.twcert.org.tw/tw/cp-169-10582-80c21-1.html

Computer and Communication Center
Network Systems Division, Respectfully