CVE-2025-57819CRITICAL 9.8CISA KEVEPSS p99.7%

CVE-2025-57819Sangoma FreePBX Authentication Bypass Vulnerability

Sangoma / FreePBX

Description

Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS87.36% probability of exploitation · percentile 99.7% · 2026-06-16T12:03:06Z
Published2025-08-28
Last modified2025-10-24

CISA KEV entry

Added to KEV: 2025-08-29

Underlying weaknesses· 2

CWE-89CWE-288

References

  1. https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
  2. https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h
  3. https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819
  4. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-57819

2

TypeTargetConfidenceTier
WeaknessAuthentication Bypass Using an Alternate Path or Channelcwe-2880%live
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

(incoming)1

TypeTargetConfidenceTier
KEVEntrySangoma FreePBX Authentication Bypass Vulnerabilitykev-cve-2025-578190%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2019-19006
CVE
Sangoma FreePBX OS Command Injection Vulnerability
CVE
CVE-2025-32105
CVE
CVE-2025-66039
CVE
CVE-2026-28284
CVE
CVE-2025-55211
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.