What is CVE-2025-61678?

CVE-2025-61678 is a vulnerability in Freepbx Endpointman, classified under Unrestricted Upload of File with Dangerous Type. Published 2025-10-14.

Is CVE-2025-61678 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Arbitrary file upload in Freepbx Endpointman

CVE-2025-61678

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains an authenticated arbitr…

Vulnerability class: Unrestricted File Upload

EPSS: 0.502 (98.8th percentile) — read the EPSS interpretation.

Affected products

Freepbx Endpointman — versions < 16.0.92, >= 17.0.0, < 17.0.6

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

Public proof-of-concept exploits

rapid7/metasploit-framework

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-7p8x-8m3m-58j9 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-61678?: CVE-2025-61678 is a vulnerability in Freepbx Endpointman, classified under Unrestricted Upload of File with Dangerous Type. Published 2025-10-14.
Is CVE-2025-61678 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.