module

FreePBX endpoint SQLi to RCE

Try Surface Command
Back to search
Disclosed
Dec 11, 2025
Created
Jan 29, 2026

Description

FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use
VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039,
while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an
authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it
allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module
exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an
unauthenticated SQL injection attack and gains remote code execution by injecting an SQL record into th
cron_jobs table. The cron_jobs database contains cron tasks that FreePBX executes in the context of the
operating system.

Authors

Noah King
msutovsky-r7

Platform

Linux

Architectures

cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/unix/http/freepbx_custom_extension_rce
    msf exploit(freepbx_custom_extension_rce) > show targets
        ...targets...
    msf exploit(freepbx_custom_extension_rce) > set TARGET < target-id >
    msf exploit(freepbx_custom_extension_rce) > show options
        ...show and set options...
    msf exploit(freepbx_custom_extension_rce) > exploit
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report