The Sangoma FreePBX Security Team on Friday issued an advisory warning that an actively exploited zero‑day vulnerability has hit FreePBX systems with an administrator control panel (ACP) exposed to the public internet. The flaw, identified as CVE-2025-57819, carries a maximum CVSS score of 10.0, indicating critical severity. The advisory notes that insufficiently sanitized user input allows unauthenticated access to the FreePBX Administrator, enabling arbitrary database manipulation and remote code execution. For reference, the advisory is documented on GHSA-m42g-xg4c-5f3h.
The vulnerability affects multiple FreePBX versions, specifically FreePBX 15 prior to 15.0.66, FreePBX 16 prior to 16.0.89, and FreePBX 17 prior to 17.0.3. Sangoma said unauthorized users began accessing several publicly exposed FreePBX 16 and 17 systems on or before August 21, 2025, targeting devices with weak IP filtering or access control lists (ACLs) and exploiting the endpoint module sanitization flaw.
Administrators are urged to upgrade to the latest supported FreePBX releases and to restrict public access to the administrator control panel. Authorities also highlight several indicators of compromise (IoCs), including:
- Modified or missing
/etc/freepbx.conf - Presence of the file
/var/www/html/.clean.sh(not expected on normal systems) - Suspicious POST requests to
modular.phpobserved in Apache logs dating back to August 21, 2025 - Unusual calls to extension 9998 in Asterisk call logs and CDRs
- Suspicious “ampuser” entries in the
ampusersdatabase table or other unknown users
“We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post‑compromise,” said watchTowr CEO Benjamin Harris in a statement provided to The Hacker News. Harris urged operators using FreePBX with the endpoint module to assume compromise and to disconnect affected systems promptly to limit the blast radius.
The incident underscores a broader pattern in which PBX platforms – widely used by businesses, call centers and service providers – have become attractive targets for ransomware groups, initial access brokers and fraud actors seeking to monetize premium services. For additional guidance, administrators are advised to review related resources and security advisories, including the official community discussion at FreePBX security advisory and related discussions on CIS-hardened images.