Aug 29, 2025Ravie LakshmananZero-Day / Vulnerability
The Sangoma FreePBX Safety Staff has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts programs with an administrator management panel (ACP) uncovered to the general public web.
FreePBX is an open-source non-public department change (PBX) platform broadly utilized by companies, name facilities, and repair suppliers to handle voice communications. It is constructed on prime of Asterisk, an open-source communication server.
The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS rating of 10.0, indicating most severity.
“Insufficiently sanitized user-supplied knowledge permits unauthenticated entry to FreePBX Administrator, resulting in arbitrary database manipulation and distant code execution,” the undertaking maintainers stated in an advisory.
The problem impacts the next variations –
FreePBX 15 prior to fifteen.0.66
FreePBX 16 previous to 16.0.89, and
FreePBX 17 previous to 17.0.3
Sangoma stated an unauthorized consumer started accessing a number of FreePBX model 16 and 17 programs related to the web beginning on or earlier than August 21, 2025, particularly people who have insufficient IP filtering or entry management lists (ACLs), by profiting from a sanitization challenge within the processing of user-supplied enter to the industrial “endpoint” module.
The preliminary entry obtained utilizing this technique was then mixed with different steps to doubtlessly achieve root-level entry on the goal hosts, it added.
In mild of lively exploitation, customers are suggested to improve to the newest supported variations of FreePBX and limit public entry to the administrator management panel. Customers are additionally suggested to scan their environments for the next indicators of compromise (IoCs) –
File “/and so on/freepbx.conf” just lately modified or lacking
Presence of the file “/var/www/html/.clear.sh” (this file mustn’t exist on regular programs)
Suspicious POST requests to “modular.php” in Apache internet server logs relationship again to no less than August 21, 2025
Telephone calls positioned to extension 9998 in Asterisk name logs and CDRs are uncommon (until beforehand configured)
Suspicious “ampuser” consumer within the ampusers database desk or different unknown customers
“We’re seeing lively exploitation of FreePBX within the wild with exercise traced again so far as August 21 and backdoors being dropped post-compromise,” watchTowr CEO Benjamin Harris stated in a press release shared with The Hacker Information.
“Whereas it is early, FreePBX (and different PBX platforms) have lengthy been a favourite looking floor for ransomware gangs, preliminary entry brokers and fraud teams abusing premium billing. If you happen to use FreePBX with an endpoint module, assume compromise. Disconnect programs instantly. Delays will solely enhance the blast radius.”
