A severe zero-day vulnerability has been identified in FreePBX versions 16 and 17, posing a significant risk to systems with publicly accessible Administrator Control Panels (ACP). This flaw resides in the commercial Endpoint Manager module and allows unauthenticated attackers to escalate privileges and execute remote code. Active exploitation of this vulnerability has been observed since August 21, 2025, necessitating prompt action from administrators to mitigate potential damage.
Key Points:
1. Zero-Day Remote Code Execution (RCE) Vulnerability: The identified flaw enables attackers to execute arbitrary code on affected FreePBX systems without authentication, particularly when the ACP is exposed to the internet.
2. Immediate Mitigation Steps:
– Restrict External Access: Administrators should verify if their FreePBX or PBXAct instances are accessible externally. If the ACP is reachable via ports 80 or 443, it’s imperative to block all external traffic at the network perimeter.
– Utilize FreePBX Firewall Module: Employ the FreePBX Firewall module to limit access to the Internet/External zone, allowing only trusted hosts.
– Confirm Local-Only Access: After implementing access restrictions, test ACP connectivity from an untrusted network (e.g., cellular data) to ensure that external access is effectively blocked.
3. Update Endpoint Module:
– For FreePBX v16/v17 Users: Execute the following command to update the Endpoint module to the provided EDGE builds:
“`
fwconsole ma upgrade endpoint –edge
“`
– For PBXAct v16 and v17 Users: Specify stable tags by running:
“`
fwconsole ma upgrade endpoint –tag=stable
“`
– Upcoming QA-Tested Release: A fully quality-assured release is expected within 12 hours. Once available, perform a standard module update via Admin → Module Admin.
4. Detection and Mitigation:
– Indicators of Compromise (IoCs): Administrators should conduct the following checks to detect potential infections:
– Verify the existence of `/etc/freepbx.conf`.
– Search for the presence of the malicious dropper script located at `/var/www/html/.clean.sh`.
– Review Apache logs for POST requests to `modular.php` since August 21.
– Examine Asterisk logs for calls made to extension 9998.
– Query MySQL databases for any suspicious `ampusers`.
– Response to Compromise: If any of these indicators are detected:
– Isolate the affected system immediately.
– Plan for system restoration using backups dated before August 21.
– Deploy a clean installation of FreePBX with enhanced firewall configurations.
– Restore data from the verified backups.
– Rotate all credentials, including system passwords, SIP trunks, extensions, voicemail, and User Control Panel (UCP) access.
– Forensic Analysis: Utilize the community-developed `collect_forensics_freepbx.sh` script, licensed under AGPLv3, to automate the collection of logs, configuration files, and process states for thorough analysis.
5. Ongoing Investigation:
– Older FreePBX Versions: Users operating FreePBX versions prior to v16 should remain vigilant. Sangoma is actively investigating the root cause of the vulnerability and plans to publish a Common Vulnerabilities and Exposures (CVE) identifier once the assessment is complete.
– Recommended Actions: Until a comprehensive fix is available, disabling internet access to the ACP and applying the Edge or Stable Endpoint module updates are the most effective defenses against potential exploitation.
Conclusion:
The discovery of this zero-day vulnerability in FreePBX underscores the critical importance of proactive cybersecurity measures. Administrators are urged to implement the recommended mitigations without delay to protect their systems from unauthorized access and potential compromise. Staying informed about updates from Sangoma and the broader cybersecurity community is essential in navigating this evolving threat landscape.
