A essential zero-day exploit focusing on uncovered FreePBX 16 and 17 techniques. Menace actors are abusing an unauthenticated privilege escalation vulnerability within the industrial Endpoint Supervisor module, permitting distant code execution (RCE) when the Administrator Management Panel is reachable from the general public web.
With energetic compromises detected since August 21, 2025, admins should act instantly to include the risk.
Key Takeaways1. Zero-day RCE in FreePBX Endpoint Supervisor focusing on internet-exposed Admin UIs.2. Instantly block exterior entry and set up EDGE/tagged endpoint updates.3. Examine for compromise indicators, isolate/rebuild techniques, and restore from pre-August 21 backups.
Firewall Lockdown
FreePBX said that organizations ought to first confirm whether or not their FreePBX/PBXAct occasion is accessible externally.
If the Administrator Management Panel (ACP) is reachable on ports 80 or 443, block all exterior visitors on the community perimeter.
Alternatively, make use of the FreePBX Firewall module to limit the Web/Exterior zone to identified trusted hosts solely.
After lockdown, affirm local-only entry by testing ACP connectivity from an untrusted community (e.g., mobile information).
Subsequent, replace the Endpoint module to the offered EDGE builds for testing. FreePBX v16/v17 customers can execute:
PBXAct v16 and v17 customers ought to specify steady tags:
A full QA-tested launch will comply with inside 12 hours; carry out a typical module replace as soon as out there through Admin → Module Admin.
Mitigations
To detect potential an infection, directors should carry out the next checks:
Guarantee /and many others/freepbx.conf nonetheless exists.
Search for the malicious dropper script /var/www/html/.clear.sh
Scan Apache logs for POST requests to modular.php since August 21.
Examine Asterisk logs for calls to extension 9998.
Question MySQL for suspicious ampusers.
If any indicators are current, isolate the system and plan restoration. Protect backups older than August 21, deploy a clear FreePBX set up with hardened firewall settings, restore information, and rotate all credentials (system, SIP trunks, extensions, voicemail, UCP).
Forensic assortment will be automated utilizing the group’s collect_forensics_freepbx.sh script beneath AGPLv3 to snapshot logs, configuration information, and course of states for evaluation.
Customers operating FreePBX variations previous to v16 ought to stay vigilant; Sangoma continues to analyze the foundation trigger and can publish a CVE as soon as the vulnerability has been absolutely assessed.
Till then, disabling web entry to ACP and making use of the Edge or Steady Endpoint module updates stay the best defenses.
Bored with Filling Kinds for safety & Compliance questionnaires? Automate them in minutes with 1up! Begin Your Free Trial Now!
