You are currently viewing FreePBX Rings Red: Zero-Day Lets Attackers Dial in as Root

FreePBX Rings Red: Zero-Day Lets Attackers Dial in as Root

  • Post author:
  • Reading time:3 mins read

FreePBX administrators are facing urgent calls to secure their systems against an actively exploited zero-day vulnerability in the commercial Endpoint Manager module. The Security Team has confirmed that this critical flaw, identified as CVE-2025-57819, allows attackers to execute code remotely on vulnerable systems. With a CVSS score of 10.0, the highest possible severity rating, this vulnerability poses a significant threat to businesses and call centers that rely on the popular open-source PBX platform.

Vulnerability Details

The zero-day vulnerability stems from an insufficient sanitization error in the processing of user-supplied input to the commercial “endpoint” module. This initial entry point was then chained with several other steps to ultimately gain potentially root-level access on the target systems, which can lead to an authentication bypass in the FreePBX Administrator control panel.

Affected Products

The vulnerability affects FreePBX versions 15, 16, and 17, specifically those with the Endpoint module installed and the Administrator Control Panel exposed to the internet via ports 80 or 443.

Impact

Successful exploitation of this vulnerability can have severe consequences, including:

  • Privilege Escalation: Attackers can gain elevated privileges on the system, potentially leading to root-level access.
  •  Remote Command Execution: Arbitrary commands can be executed under the web server user, giving attackers control over the system.
  •  Malicious Activities: Attackers have been observed deploying cleanup scripts to hide their tracks, installing persistent backdoors for long-term access, and stealing sensitive call detail records.

Indicators of Compromise (IOCs)

Administrators should immediately inspect their systems for the following signs of a compromise:

  • The presence of a malicious “.clean.sh” file in the /var/www/html directory.
  • Recent modifications to or the absence of the /etc/freepbx.conf file.
  • Suspicious POST requests to modular.php in web server logs, with activity traced back to at least August 21, 2025.
  • Unusual calls to extension 9998 in Asterisk call logs.
  • The presence of unexpected “ampuser” entries in the MariaDB ampusers table or other unknown users.

Mitigation & Recommendations

The Sangoma FreePBX Security Team strongly advises administrators to take the following actions to mitigate the risks:

  • Apply Updates: FreePBX users on v15 should upgrade to version 15.0.66, v16 users should upgrade to 16.0.89, and v17 administrators should upgrade to 17.0.3.
  • Disable Public Internet Access: Immediately remove public access to FreePBX administration interfaces.
     Restrict Access to Trusted IPs: Utilize the FreePBX Firewall module to limit access to the Administrator Control Panel to only known and trusted IP addresses.
  •  Use a VPN or Isolated VLAN: For enhanced security, place the PBX behind a VPN or within an isolated management VLAN.
  • Restore from a Clean Backup: If any IOCs are found, it is crucial to revert to a known clean backup from before the suspected compromise.
  • Rotate Credentials: Immediately change all credentials, including SIP trunks and voicemail PINs.

Tactics, Techniques & Procedures (TTPs)

IDNameDescription
TA0001Initial AccessAttackers exploit the public-facing application to gain an initial foothold.
T1190Exploit Public-Facing ApplicationThe zero-day vulnerability is exploited on systems where the Administrator Control Panel is exposed to the internet.
TA0002ExecutionMalicious payloads are deployed by executing commands and scripts.
T1059Command and Scripting InterpreterAttacker-controlled exploit code is used to gain remote code execution.
TA0004Privilege EscalationThe vulnerability is exploited to gain elevated privileges.
T1068Exploitation for Privilege EscalationThe exploit allows privilege escalation under the web server user.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.