A critical zero-day vulnerability, identified as CVE-2025-57819, has been discovered in FreePBX, an open-source private branch exchange (PBX) platform widely utilized by businesses, call centers, and service providers for managing voice communications. This flaw, carrying a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS), allows unauthenticated attackers to gain administrative access, manipulate databases arbitrarily, and execute remote code on affected systems.
Understanding FreePBX and the Vulnerability
FreePBX serves as a web-based graphical user interface built atop the Asterisk communication server, facilitating the management of voice communications. The identified vulnerability stems from insufficient sanitization of user-supplied data, particularly within the commercial endpoint module. This oversight permits unauthorized access to the FreePBX Administrator interface, leading to potential system compromise.
Affected Versions and Immediate Risks
The vulnerability impacts the following FreePBX versions:
– FreePBX 15 versions prior to 15.0.66
– FreePBX 16 versions prior to 16.0.89
– FreePBX 17 versions prior to 17.0.3
Reports indicate that unauthorized access to multiple FreePBX version 16 and 17 systems connected to the internet began on or before August 21, 2025. Systems with inadequate IP filtering or access control lists (ACLs) are particularly vulnerable. Attackers have exploited this flaw to gain initial access, which can be escalated to root-level control over the target hosts.
Indicators of Compromise (IoCs)
Administrators should vigilantly monitor their systems for the following signs of compromise:
– Recent modification or absence of the file `/etc/freepbx.conf`.
– Presence of the file `/var/www/html/.clean.sh`, which should not exist on standard systems.
– Suspicious POST requests to `modular.php` in Apache web server logs dating back to at least August 21, 2025.
– Unusual phone calls placed to extension 9998 in Asterisk call logs and Call Detail Records (CDRs), unless previously configured.
– Detection of a suspicious ampuser or other unknown users in the `ampusers` database table.
Recommended Actions
In response to active exploitation, the Sangoma FreePBX Security Team has issued the following recommendations:
1. Upgrade Immediately: Users are urged to update to the latest supported versions of FreePBX to mitigate the vulnerability.
2. Restrict Access: Limit public access to the administrator control panel by implementing robust IP filtering and access control lists.
3. System Scanning: Conduct thorough scans of your environment to identify any indicators of compromise.
4. Review Logs: Examine Apache and Asterisk logs for any unusual activities or unauthorized access attempts.
5. Credential Rotation: Change all system and SIP-related credentials to prevent unauthorized access.
6. Restore from Backups: If compromise is detected, restore systems from backups created prior to August 21, 2025.
Expert Insights
Benjamin Harris, CEO of watchTowr, emphasized the gravity of the situation:
We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise. FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers, and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. Disconnect systems immediately. Delays will only increase the blast radius.
Conclusion
The discovery of CVE-2025-57819 underscores the critical importance of maintaining up-to-date systems and implementing stringent access controls. Administrators are advised to act promptly to secure their FreePBX installations, thereby safeguarding their communication infrastructures against potential exploits.
