The Sangoma FreePBX Security Team has issued an urgent advisory regarding a zero-day vulnerability tracked as CVE-2025-57819, which is being actively exploited per The Hacker News.
The flaw affects FreePBX systems with administrator control panels exposed to the public internet.
The vulnerability, rated with a maximum CVSS score of 10.0, allows unauthenticated attackers to gain administrator access, manipulate databases, and execute remote code.
Impacted versions include FreePBX 15 prior to 15.0.66, 16 prior to 16.0.89, and 17 prior to 17.0.3.
Exploitation has been observed since August 21, 2025, primarily targeting versions 16 and 17 with inadequate IP filtering or access control lists.
Attackers leveraged a sanitization issue in the “endpoint” commercial module to gain initial access, which could be escalated to root-level control.
Sangoma urges users to immediately update to the latest versions and restrict public access to the administrator panel. Indicators of compromise include unauthorized modifications to /etc/freepbx.conf, presence of /var/www/html/.clean.sh, suspicious POST requests to modular.php, and unexplained calls to extension 9998.
“We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise,” watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News.
“While it’s early, FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. Disconnect systems immediately. Delays will only increase the blast radius.”
About Author
