Ethical Hacking News
The FreePBX community has been affected by a major security breach due to an actively exploited zero-day vulnerability in exposed FreePBX administrator control panels. The breach highlights the importance of maintaining up-to-date security measures, and administrators should take proactive steps to mitigate potential risks.
FreePBX was hit by a major security breach due to an exploited zero-day vulnerability. The breach affected approximately 3,000 SIP extensions and 500 trunks. A fix for the issue is expected within 36 hours. Some users with expired support contracts may not be able to install the EDGE update. Administrators are advised to limit access to the FreePBX Administrator using the Firewall module. The incident highlights the importance of maintaining up-to-date security measures and monitoring for potential vulnerabilities.
The FreePBX community was hit with a major security breach recently, as hackers took advantage of an actively exploited zero-day vulnerability in exposed FreePBX administrator control panels. The breach has left many businesses and organizations vulnerable to potential attacks, highlighting the importance of maintaining up-to-date security measures.
FreePBX is an open-source PBX (Private Branch Exchange) platform built on top of Asterisk, widely used by businesses, call centers, and service providers to manage voice communications, extensions, SIP trunks, and call routing. The vulnerability was discovered when hackers began exploiting the zero-day exploit in exposed FreePBX administrator control panels since August 21.
The Sangoma FreePBX Security Team has been working on a fix for this issue, with an expected deployment within the next 36 hours. They have released an EDGE module fix for testing, which can be installed using specific commands. However, some users have warned that if they have expired support contracts, they may not be able to install the EDGE update, leaving their device unprotected.
Several FreePBX customers have come forward stating that their servers had been breached through this exploit, affecting approximately 3,000 SIP extensions and 500 trunks. The affected customers reported that multiple servers in their infrastructure were compromised due to the vulnerability. As part of their incident response, they locked all administrator access and restored their systems to a pre-attack state.
The Sangoma FreePBX Security Team has shared indicators of compromise (IOCs) for determining if a server has been exploited. These IOCs include missing or modified /etc/freepbx.conf configuration files, the presence of /var/www/html/.clean.sh shell scripts, suspicious Apache log entries for modular.php, unusual calls to extension 9998 in Asterisk logs as far back as August 21, and unauthorized entries in the ampusers table of MariaDB/MySQL.
To mitigate this issue, administrators are advised to limit access to the FreePBX Administrator by using the Firewall module to restrict access to only known trusted hosts. Additionally, they should review call records and phone bills for signs of abuse, especially unauthorized international traffic.
The incident highlights the importance of maintaining up-to-date security measures and monitoring for potential vulnerabilities in critical infrastructure. It also underscores the need for organizations to regularly assess their security posture and take proactive steps to prevent similar breaches.
In conclusion, the recent FreePBX server breach serves as a wake-up call for businesses and organizations that rely on PBX infrastructure. As such, it is essential to prioritize security measures and stay informed about potential vulnerabilities in the critical infrastructure that supports daily operations.
Related Information:
https://www.ethicalhackingnews.com/articles/FreePBX-Server-Breach-A-Zero-Day-Vulnerability-Exposes-Critical-PBX-Infrastructure-ehn.shtml
https://www.bleepingcomputer.com/news/security/freepbx-servers-hacked-via-zero-day-emergency-fix-released/
Published: Wed Aug 27 16:19:14 2025 by llama3.2 3B Q4_K_M
