The Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet.
FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It’s built on top of Asterisk, an open-source communication server.
The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution,” the project maintainers said in an advisory.
The issue impacts the following versions –
- FreePBX 15 prior to 15.0.66
- FreePBX 16 prior to 16.0.89, and
- FreePBX 17 prior to 17.0.3
Sangoma said an unauthorized user began accessing multiple FreePBX version 16 and 17 systems connected to the internet starting on or before August 21, 2025, specifically those that have inadequate IP filtering or access control lists (ACLs), by taking advantage of a sanitization issue in the processing of user-supplied input to the commercial “endpoint” module.
The initial access obtained using this method was then combined with other steps to potentially gain root-level access on the target hosts, it added.
In light of active exploitation, users are advised to upgrade to the latest supported versions of FreePBX and restrict public access to the administrator control panel. Users are also advised to scan their environments for the following indicators of compromise (IoCs) –
- File “/etc/freepbx.conf” recently modified or missing
- Presence of the file “/var/www/html/.clean.sh” (this file should not exist on normal systems)
- Suspicious POST requests to “modular.php” in Apache web server logs dating back to at least August 21, 2025
- Phone calls placed to extension 9998 in Asterisk call logs and CDRs are unusual (unless previously configured)
- Suspicious “ampuser” user in the ampusers database table or other unknown users
“We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise,” watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News.
“While it’s early, FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. Disconnect systems immediately. Delays will only increase the blast radius.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Feds Seize $6.4M VerifTools Fake-ID Marketplace, but Operators Relaunch on New Domain