The Sangoma FreepBX Security team has issued an advisory warning about actively exploited FreepBX Zero Day vulnerabilities affecting systems through the Administrator Control Panel (ACP) exposed to the public Internet.
FreepBX is an open source private branch exchange (PBX) platform widely used by businesses, call centres and service providers to manage voice communications. It is built on an asterisk, an open source communications server.
The vulnerability assigned to CVE Identifier CVE-2025-57819 has a CVSS score of 10.0, indicating the maximum severity.
“Insufficient data that users do not support will allow unauthorized access to FreePBX administrators, leading to arbitrary database operations and remote code execution,” the project maintainer said in its advisory.
This issue affects the following versions –
freepbx before 15.0.66 15 freepbx before 16.0.89 16, freepbx before 17.0.3 17
Sangoma said unauthorized users began accessing multiple FreePBX versions 16 and 17 systems connected to the internet before August 21, 2025, especially systems with insufficient IP filtering or access control lists (ACLs).
He then added that the initial access obtained using this method is combined with other steps to potentially gain root-level access for the target host.
In light of aggressive exploitation, users are advised to upgrade to the latest version of FreePBX and restrict public access to the admin’s control panel. Also, users are encouraged to scan their environment for the next indicator (IOCS) of compromise –
File “/etc/freepbx.conf” “Recently changed or missing file presence” /var/www/html/.clean.sh ” (This file should not exist on regular systems) Suspicious post requests line up on 2025 phones, which are extended to (unusual) extensius, which is extended to 2025 on August 21st (Ampusers database table or other unknown users “Ampuser” users
“We are seeing the active exploitation of FreepBX in the wild as we track activities through August 21st.
“It’s early, but FreePBX (and other PBX platforms) are the favorite hunting grounds for ransomware gangs, with early access brokers and fraud groups abusing premium billing. When using FreePBX with endpoint modules, we assume a compromise.
Source link
