Sangoma warns of an actively exploited FreePBX zero-day affecting systems with publicly exposed admin control panels.
The Sangoma FreePBX Security Team addressed an actively exploited FreePBX zero-day vulnerability, tracked as CVE-2025-57819 (CVSS score of 10.0), impacting systems with an internet-facing administrator control panel (ACP).
FreePBX is an open-source telephony software platform that provides a web-based graphical interface for managing Asterisk, the most widely used open-source PBX (Private Branch Exchange).
With FreePBX, organizations can set up and manage features like:
- VoIP (Voice over IP) calls
- Call routing and extensions
- Voicemail, call recording, and conferencing
- Interactive Voice Response (IVR) menus
- Integration with SIP trunks and phones
Essentially, it turns a standard server (or cloud instance) into a fully functional business phone system.
The root cause of the issue is insufficiently sanitized user-supplied data, which allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution.
Project administrators revealed that an attacker exploited a flaw in FreePBX v16–17’s “endpoint” module on exposed systems, chaining it with other steps to gain possible root access.
“Starting on or before August 21st, 2025, an unauthorized user began accessing multiple FreePBX version 16 and 17 systems that were connected directly to the public internet — systems with inadequate IP filtering/ACLs — by exploiting a validation/sanitization error in the processing of user-supplied input to the commercial “endpoint” module.” reads the advisory. “This initial entry point was then chained with several other steps to ultimately gain potentially root level access on the target systems.”
The vulnerability impacts:
- FreePBX 15 prior to 15.0.66
- FreePBX 16 prior to 16.0.89, and
- FreePBX 17 prior to 17.0.3
Users are urged to update FreePBX, restrict public ACP access, and check for IoCs, including:
- File
/etc/freepbx.confrecently modified or missing - File
/var/www/html/.clean.shshould not exist on normal systems - POST requests to
modular.phpin web server logs likely not legitimate traffic - Phone calls placed to extension 9998 in call logs and CDRs are unusual – unless previously configured
- Suspicious ampuser user in the ampusers database table or other unknown users
According to Netlas researchers, most of the potentially vulnerable systems are in the US, followed by Russia and Germany.
CVE-2025-57819: Auth Bypass in FreePBX Administrator, 10.0 rating
A critical 0-day vuln in FreePBX could allow an attacker to perform SQLi and RCE. Exploitation has already been observed in the wild!
Search at https://t.co/hv7QKSqxTR:
Link: https://t.co/tYMjnmD0wF pic.twitter.com/MkbjClw21H
— Netlas.io (@Netlas_io) August 29, 2025
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, zero-day)