Ethical Hacking News
A critical FreePBX zero-day vulnerability has been actively exploited, putting businesses and individuals at risk. The vulnerability affects multiple versions of FreePBX and allows an attacker to perform SQLi and RCE, leading to arbitrary database manipulation and remote code execution. Immediate action is necessary to update FreePBX, restrict public ACP access, and check for IoCs.
FreePBX zero-day vulnerability CVE-2025-57819 has been issued with a critical CVSS score of 10.0. The vulnerability allows arbitrary database manipulation and remote code execution due to insufficiently sanitized user-supplied data. The impacted versions are FreePBX 15 prior to 15.0.66, FreePBX 16 prior to 16.0.89, and FreePBX 17 prior to 17.0.3. Users are urged to update FreePBX, restrict public ACP access, and check for Indicators of Compromise (IoCs). The vulnerability has been observed in the wild and affects systems in the US, Russia, and Germany.
Expert warnings have been issued regarding an actively exploited FreePBX zero-day vulnerability, which has significant implications for businesses and individuals alike. The vulnerability, tracked as CVE-2025-57819, is rated at a critical 10.0 on the Common Vulnerability Scoring System (CVSS) scale, indicating a high level of severity.
FreePBX is an open-source telephony software platform that provides a web-based graphical interface for managing Asterisk, the most widely used open-source PBX (Private Branch Exchange). With FreePBX, organizations can set up and manage features like VoIP (Voice over IP) calls, call routing and extensions, voicemail, call recording, and conferencing, as well as integration with SIP trunks and phones.
The root cause of the issue is insufficiently sanitized user-supplied data, which allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. This vulnerability has already been observed in the wild, highlighting the urgent need for immediate action.
Project administrators revealed that an attacker exploited a flaw in FreePBX v16-17's "endpoint" module on exposed systems, chaining it with other steps to gain possible root access. This initial entry point was then chained with several other steps to ultimately gain potentially root level access on the target systems.
The vulnerability impacts FreePBX 15 prior to 15.0.66, FreePBX 16 prior to 16.0.89, and FreePBX 17 prior to 17.0.3. Users are urged to update FreePBX, restrict public ACP access, and check for IoCs (Indicators of Compromise), including:
- File /etc/freepbx.conf recently modified or missing
- File /var/www/html/.clean.sh should not exist on normal systems
- POST requests to modular.php in web server logs likely not legitimate traffic
- Phone calls placed to extension 9998 in call logs and CDRs are unusual – unless previously configured
- Suspicious ampuser user in the ampusers database table or other unknown users
According to Netlas researchers, most of the potentially vulnerable systems are in the US, followed by Russia and Germany.
The discovery of this vulnerability serves as a stark reminder of the importance of prioritizing cybersecurity measures. As more businesses move their operations online, the risk of cyberattacks increases, making it essential for organizations to stay vigilant and proactive in addressing vulnerabilities like this one.
In recent times, we have seen numerous high-profile breaches and attacks on various platforms, including Google's Salesloft Drift breach, which affected all integrations. Dutch intelligence has also warned about a China-linked APT Salt Typhoon targeting local critical infrastructure. Furthermore, 200 Swedish municipalities were impacted by a major cyberattack on an IT provider.
In addition, TransUnion disclosed a data breach impacting over 4.4 million customers, while a data breach at Healthcare Services Group affected 624,496 people. ESET warned of PromptLock, the first AI-driven ransomware, and China-linked UNC6384 targeted diplomats by hijacking web traffic.
It is essential for individuals and organizations to stay informed about the latest cybersecurity threats and vulnerabilities. By staying proactive and addressing potential risks early on, we can reduce the likelihood of being compromised in a cyberattack.
Related Information:
https://www.ethicalhackingnews.com/articles/FreePBX-Zero-Day-Exploited-A-Growing-Concern-for-Businesses-and-Individuals-Alike-ehn.shtml
https://securityaffairs.com/181693/hacking/experts-warn-of-actively-exploited-freepbx-zero-day.html
https://nvd.nist.gov/vuln/detail/CVE-2025-57819
https://www.cvedetails.com/cve/CVE-2025-57819/
Published: Fri Aug 29 10:22:21 2025 by llama3.2 3B Q4_K_M
