Experts warn of actively exploited FreePBX zero-day

Experts warn of actively exploited FreePBX zero-day

Por

Experts warn of actively exploited FreePBX zero-day

Sangoma warns of an actively exploited FreePBX zero-day affecting systems with publicly exposed admin control panels.

The Sangoma FreePBX Security Team addressed an actively exploited FreePBX zero-day vulnerability, tracked as CVE-2025-57819 (CVSS score of 10.0), impacting systems with an internet-facing administrator control panel (ACP).

FreePBXis an open-source telephony software platform that provides a web-based graphical interface for managing Asterisk, the most widely used open-source PBX (Private Branch Exchange).

With FreePBX, organizations can set up and manage features like:

  • VoIP (Voice over IP) calls
  • Call routing and extensions
  • Voicemail, call recording, and conferencing
  • Interactive Voice Response (IVR) menus
  • Integration with SIP trunks and phones

Essentially, it turns a standard server (or cloud instance) into a fully functional business phone system.

The root cause of the issue is insufficiently sanitized user-supplied data, which allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution.

Project administrators revealed that an attacker exploited a flaw in FreePBX v16–17’s “endpoint” module on exposed systems, chaining it with other steps to gain possible root access.

“Starting on or before August 21st, 2025, an unauthorized user began accessing multiple FreePBX version 16 and 17 systems that were connected directly to the public internet — systems with inadequate IP filtering/ACLs — by exploiting a validation/sanitization error in the processing of user-supplied input to the commercial “endpoint” module.” reads the advisory. “This initial entry point was then chained with several other steps to ultimately gain potentially root level access on the target systems.”

The vulnerability impacts:

  • FreePBX 15 prior to 15.0.66
  • FreePBX 16 prior to 16.0.89, and
  • FreePBX 17 prior to 17.0.3

Users are urged to update FreePBX, restrict public ACP access, and check for IoCs, including:

  • File/etc/freepbx.confrecently modified or missing
  • File/var/www/html/.clean.shshould not exist on normal systems
  • POST requests tomodular.phpin web server logslikely not legitimate traffic
  • Phone calls placed to extension9998in call logs and CDRsare unusual – unless previously configured
  • Suspiciousampuseruser in theampusersdatabase tableor other unknown users

According to Netlas researchers, most of the potentially vulnerable systems are in the US, followed by Russia and Germany.

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,newsletter)