FreePBX Servers Under Attack Due to 0-Day Vulnerability

Developers at Sangoma Technologies Corporation have issued an urgent warning about an actively exploited zero-day vulnerability in FreePBX. The flaw affects systems with their administration panel exposed to the internet.

What is FreePBX?

FreePBX is an open-source PBX (Private Branch Exchange) platform built on top of Asterisk. It is widely used by businesses, call centers, and service providers to manage voice communications, internal extensions, SIP trunks, and call routing.

The Vulnerability

According to Sangoma’s security team, attackers began exploiting the flaw on August 21, 2025. The issue, tracked as CVE-2025-57819, has been assigned the maximum severity rating of 10.0 on the CVSS scale.

“Insufficient sanitization of user data allows for unauthorized access to the FreePBX Administrator, which can lead to arbitrary database manipulation and remote code execution,” the developers explained.

The following versions are vulnerable:

• FreePBX 15 up to version 15.0.66
• FreePBX 16 up to version 16.0.89
• FreePBX 17 up to version 17.0.3

An emergency fix for the EDGE module was released, followed by urgent patches for supported versions.

Active Exploitation in the Wild

Sangoma confirmed that threat actors are actively exploiting the bug in FreePBX 16 and 17 to gain initial access, after which they attempt to escalate privileges and obtain root access on compromised servers.

The company initially advised administrators to restrict access:

“Users are advised to restrict administrative access to FreePBX by using the Firewall module to limit access to known and trusted hosts only.”

Indicators of Compromise (IOCs)

Administrators are urged to scan their environments for signs of compromise, including:

• /etc/freepbx.conf recently modified or missing
• Presence of /var/www/html/.clean.sh (should not exist on normal systems)
• Suspicious POST requests to modular.php in Apache logs
• Calls to extension 9998 in Asterisk call logs and CDR
• Unknown users, such as a suspicious ampuser entry in the ampusers database

Impact on Customers

Reports on forums and Reddit suggest the impact is significant.

“Several servers in our infrastructure were hacked, and the attack affected approximately 3,000 SIP extensions and 500 trunks,” wrote one customer. “As part of the incident response, we blocked all administrative access and restored the systems to their previous state.”

Another victim shared:

“Yes, my personal PBX was also affected, as was another one I help manage. The exploit essentially allows an attacker to execute any command that the asterisk user is allowed to run.”

Mitigation

Sangoma strongly recommends that all users:

• Update FreePBX to the latest supported version
• Restrict public access to the administrative control panel
• Review logs for the listed IOCs

With active exploitation confirmed, administrators are urged to act immediately.