The Sangoma FreePBX Safety Staff has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts techniques with an administrator management panel (ACP) uncovered to the general public web.
FreePBX is an open-source personal department change (PBX) platform broadly utilized by companies, name facilities, and repair suppliers to handle voice communications. It is constructed on high of Asterisk, an open-source communication server.
The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS rating of 10.0, indicating most severity.
“Insufficiently sanitized user-supplied knowledge permits unauthenticated entry to FreePBX Administrator, resulting in arbitrary database manipulation and distant code execution,” the venture maintainers stated in an advisory.
The difficulty impacts the next variations –
- FreePBX 15 prior to fifteen.0.66
- FreePBX 16 previous to 16.0.89, and
- FreePBX 17 previous to 17.0.3
Sangoma stated an unauthorized consumer started accessing a number of FreePBX model 16 and 17 techniques linked to the web beginning on or earlier than August 21, 2025, particularly people who have insufficient IP filtering or entry management lists (ACLs), by benefiting from a sanitization difficulty within the processing of user-supplied enter to the business “endpoint” module.
The preliminary entry obtained utilizing this methodology was then mixed with different steps to doubtlessly achieve root-level entry on the goal hosts, it added.
In mild of energetic exploitation, customers are suggested to improve to the most recent supported variations of FreePBX and limit public entry to the administrator management panel. Customers are additionally suggested to scan their environments for the next indicators of compromise (IoCs) –
- File “/and so forth/freepbx.conf” just lately modified or lacking
- Presence of the file “/var/www/html/.clear.sh” (this file shouldn’t exist on regular techniques)
- Suspicious POST requests to “modular.php” in Apache internet server logs relationship again to at the very least August 21, 2025
- Cellphone calls positioned to extension 9998 in Asterisk name logs and CDRs are uncommon (except beforehand configured)
- Suspicious “ampuser” consumer within the ampusers database desk or different unknown customers
“We’re seeing energetic exploitation of FreePBX within the wild with exercise traced again so far as August 21 and backdoors being dropped post-compromise,” watchTowr CEO Benjamin Harris stated in an announcement shared with The Hacker Information.
“Whereas it is early, FreePBX (and different PBX platforms) have lengthy been a favourite looking floor for ransomware gangs, preliminary entry brokers and fraud teams abusing premium billing. In case you use FreePBX with an endpoint module, assume compromise. Disconnect techniques instantly. Delays will solely improve the blast radius.”
Replace
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added CVE-2025-57819 to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) companies to use the fixes by September 19, 2025.
“Sangoma FreePBX comprises an authentication bypass vulnerability on account of insufficiently sanitized user-supplied knowledge permits unauthenticated entry to FreePBX Administrator resulting in arbitrary database manipulation and distant code execution,” the company stated.
