Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FreePBX security patch release for CVE-2025-61675

Security Patch Release
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

FreePBX released fixes for multiple security vulnerabilities affecting its PBX platform, including SQL injection, arbitrary file upload, and an authentication bypass that could enable remote code execution. The release covers CVE-2025-61675, CVE-2025-61678, and CVE-2025-66039, with patched builds 16.0.92 / 17.0.6 and 16.0.44 / 17.0.23. Administrators were also told to move away from webserver authentication and apply temporary hardening steps where needed. The fixes reduce exposure on vulnerable FreePBX instances, especially where the risky authentication mode had been enabled.

Related Happenings

Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)

Security Patch Release
First: 11.05.2026 17:30 Last: 11.05.2026 17:30 Sources 1

About this happening: **Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...

Open Happening

Progress security patch release for CVE-2026-2699

Security Patch Release
First: 02.04.2026 16:33 Last: 02.04.2026 16:33 Sources 1

About this happening: **Progress** released **ShareFile 5.12.4** on **March 10** to fix **CVE-2026-2699** and **CVE-2026-2701** in the **Storage Zones Controller (SZC)** for **branch 5.x**. The update...

Open Happening

GIGABYTE security patch release for CVE-2026-4415

Security Patch Release
First: 01.04.2026 01:28 Last: 01.04.2026 01:28 Sources 1

About this happening: **GIGABYTE** is directing users of **Control Center** to upgrade to **25.12.10.01** to mitigate **CVE-2026-4415**, a flaw that exposed systems to remote file writes. The update ma...

Open Happening

TP-Link security patch release for CVE-2025-15517

Security Patch Release
First: 25.03.2026 13:11 Last: 25.03.2026 13:11 Sources 1

About this happening: **TP-Link** released **security updates** for its **Archer NX** router series to close a critical authentication-bypass flaw that could let attackers upload firmware without loggi...

Open Happening

Hewlett Packard Enterprise (HPE) security patch release for CVE-2026-23813

Security Patch Release
First: 10.03.2026 19:30 Last: 10.03.2026 19:30 Sources 1

About this happening: **HPE** released **security updates** for **Aruba Networking AOS-CX**, closing **multiple vulnerabilities** including authentication and code execution issues on **CX-series campu...

Open Happening

Timeline

  1. 15.12.2025 16:32 1 articles · 5mo ago

    Horizon3.ai discloses FreePBX SQLi, file upload, and bypass flaws

    Initial Disclosure

    Horizon3.ai identifies CVE-2025-61675, CVE-2025-61678, and CVE-2025-66039 in FreePBX and notifies the project maintainers, covering authenticated SQL injection across four endpoints and 11 parameters, authenticated arbitrary file upload through the firmware upload endpoint, and an AUTHTYPE-based authentication bypass.

    Show sources
    Open in new tab
  4. 15.12.2025 16:32 2 articles · 5mo ago

    FreePBX recommends webserver-to-usermanager hardening

    Mitigation Patch Update

    Administrators of vulnerable FreePBX instances are told to set Authorization Type to usermanager, set Override Readonly Settings to No, apply the new configuration, reboot to disconnect rogue sessions, and review any instance that used webserver authentication for signs of compromise.

    Show sources
    Open in new tab