Ethical Hacking News
A recently discovered zero-day vulnerability in FreePBX has exposed multiple systems to remote code execution. The vulnerability affects versions 15 prior to 15.0.66, 16 prior to 16.0.89, and 17 prior to 17.0.3. Users are advised to upgrade to the latest supported versions of FreePBX and restrict public access to the administrator control panel. For more information on this vulnerability, please visit our website.
The Sangoma FreePBX Security Team has issued a warning about an actively exploited zero-day vulnerability in FreePBX. The vulnerability (CVE-2025-57819) carries a CVSS score of 10.0, indicating maximum severity and affects versions 15 prior to 15.0.66, 16 prior to 16.0.89, and 17 prior to 17.0.3. Unauthorized users have accessed multiple FreePBX systems connected to the internet by exploiting a sanitization issue in user-supplied input to the commercial "endpoint" module. Users are advised to upgrade to the latest supported versions of FreePBX, restrict public access to the administrator control panel, and scan their environments for indicators of compromise.
The Sangoma FreePBX Security Team has issued a warning about an actively exploited zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet. The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity.
The impact of this vulnerability is significant, as FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It's built on top of Asterisk, an open-source communication server. The vulnerability affects versions 15 prior to 15.0.66, 16 prior to 16.0.89, and 17 prior to 17.0.3.
According to the Sangoma FreePBX Security Team, an unauthorized user began accessing multiple FreePBX version 16 and 17 systems connected to the internet starting on or before August 21, 2025, specifically those that have inadequate IP filtering or access control lists (ACLs), by taking advantage of a sanitization issue in the processing of user-supplied input to the commercial "endpoint" module.
The initial access obtained using this method was then combined with other steps to potentially gain root-level access on the target hosts. In light of active exploitation, users are advised to upgrade to the latest supported versions of FreePBX and restrict public access to the administrator control panel. Users are also advised to scan their environments for indicators of compromise (IoCs), including:
- File "/etc/freepbx.conf" recently modified or missing
- Presence of the file "/var/www/html/.clean.sh" (this file should not exist on normal systems)
- Suspicious POST requests to "modular.php" in Apache web server logs dating back to at least August 21, 2025
- Phone calls placed to extension 9998 in Asterisk call logs and CDRs are unusual (unless previously configured)
- Suspicious "ampuser" user in the ampusers database table or other unknown users
WatchTowr CEO Benjamin Harris stated that "we are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise." While it's early, he emphasized that FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers, and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. Disconnect systems immediately. Delays will only increase the blast radius.
The vulnerability highlights the importance of keeping software up-to-date and implementing robust security measures to prevent exploitation. It also underscores the need for businesses and call centers to take proactive steps to protect themselves against cyber threats.
In conclusion, this zero-day vulnerability in FreePBX emphasizes the need for vigilance and swift action in protecting against cyber threats. Users are advised to upgrade to the latest supported versions of FreePBX, restrict public access to the administrator control panel, and scan their environments for indicators of compromise.
Related Information:
https://www.ethicalhackingnews.com/articles/The-FreePBX-Zero-Day-Vulnerability-A-Wake-Up-Call-for-Businesses-and-Call-Centers-ehn.shtml
https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html
https://www.bleepingcomputer.com/news/security/freepbx-servers-hacked-via-zero-day-emergency-fix-released/
https://nvd.nist.gov/vuln/detail/CVE-2025-57819
https://www.cvedetails.com/cve/CVE-2025-57819/
Published: Fri Aug 29 06:18:06 2025 by llama3.2 3B Q4_K_M
