Introduction
Security vulnerabilities have been uncovered in the open-source PBX platform FreePBX, potentially compromising system integrity. Discovered by Horizon3.ai and reported on September 15, 2025, these vulnerabilities, including a critical authentication bypass issue, require immediate attention from IT teams.

Key Details Section

• Who: Horizon3.ai identified the vulnerabilities in FreePBX.
• What: Three significant CVEs have been disclosed:
  • CVE-2025-61675 (CVSS 8.6): Multiple SQL injection vulnerabilities.
  • CVE-2025-61678 (CVSS 8.6): An authenticated arbitrary file upload vulnerability allowing remote code execution.
  • CVE-2025-66039 (CVSS 9.3): A serious authentication bypass vulnerability under specific configurations.
• When: The flaws were reported in September 2025; fixes were released in October and December 2025.
• Where: The vulnerabilities affect FreePBX instances globally.
• Why: Exploiting these vulnerabilities allows attackers significant access to systems, emphasizing the need for enhanced security measures.
• How: Attackers can exploit misconfigured settings to bypass authentication or upload malicious files.

Why It Matters
These vulnerabilities pose severe risks to enterprise security and compliance, impacting:

• AI Model Deployment: Inadequate security can jeopardize sensitive data used in AI systems.
• Hybrid/Multi-Cloud Adoption: Unsecured PBX instances can serve as gateways for attacks within cloud environments.
• Enterprise Security: The flaws require immediate remediation to prevent potential exploits and ensure system integrity.

Takeaway for IT Teams
IT professionals should assess their FreePBX configurations immediately, particularly checking the "Authorization Type" setting. Ensure that the latest updates are applied and monitor systems for any signs of compromise. Plan for a thorough security review to reinforce overall infrastructure security.

For more curated news and infrastructure insights, visit TrendInfra.com.