#VU114554 SQL injection in FreePBX - CVE-2025-57819
Published: August 29, 2025 / Updated: October 31, 2025
Vulnerability identifier: #VU114554
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-57819
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
FreePBX
FreePBX
Software vendor:
FreePBX
FreePBX
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient sanitization of user-supplied data within the endpoint module. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands, leading to system compromise.
Note, the vulnerability is being actively exploited in the wild since August 21, 2025.
Remediation
Install updates from vendor's website.