Emergency Patch Released for FreePBX Servers Affected by Zero-Day Vulnerability

ByAdmin

The Sangoma FreePBX Security Team has issued a critical advisory regarding an actively exploited zero-day vulnerability affecting FreePBX systems with an exposed Administrator Control Panel (ACP) on the public internet. FreePBX, an open-source private branch exchange (PBX) platform built on Asterisk, is widely utilised by businesses, call centres, and service providers for managing voice communications. The vulnerability, identified as CVE-2025-57819, has a CVSS score of 10.0, indicating its maximum severity. It allows unauthenticated access to the FreePBX Administrator due to insufficiently sanitised user-supplied data, leading to arbitrary database manipulation and potential remote code execution. The affected versions include FreePBX 15 prior to 15.0.66, FreePBX 16 prior to 16.0.89, and FreePBX 17 prior to 17.0.3.

Sangoma reported that unauthorised access to multiple FreePBX version 16 and 17 systems began on or before August 21, 2025, particularly targeting those with inadequate IP filtering or access control lists (ACLs). This exploitation leverages a sanitisation issue in the processing of user input within the commercial “endpoint” module, potentially allowing attackers to gain root-level access. Users are strongly advised to upgrade to the latest supported versions of FreePBX and restrict public access to the ACP. Additionally, they should scan for indicators of compromise, such as modifications to the “/etc/freepbx.conf” file, the presence of the “/var/www/html/.clean.sh” file, and suspicious activity in Apache web server logs. As noted by watchTowr CEO Benjamin Harris, the ongoing exploitation of FreePBX poses significant risks, and users should assume compromise and disconnect affected systems immediately to mitigate potential damage. 

Categories: Cybersecurity, Vulnerability Management, VoIP Systems 

Tags: FreePBX, Vulnerability, CVE-2025-57819, CVSS, Administrator Control Panel, Remote Code Execution, Unauthorized Access, Endpoint Module, Indicators of Compromise, Ransomware 

Leave a Reply

Your email address will not be published. Required fields are marked *