FreePBX Rings Red: Zero-Day Lets Attackers Dial in as Root

FreePBX administrators are facing urgent calls to secure their systems against an actively exploited zero-day vulnerability in the commercial Endpoint Manager module. The Security Team has confirmed that this critical flaw, identified as CVE-2025-57819, allows attackers to execute code remotely on vulnerable systems. With a CVSS score of 10.0, the highest possible severity rating, this vulnerability poses a significant threat to businesses and call centers that rely on the popular open-source PBX platform.

The zero-day vulnerability stems from an insufficient sanitization error in the processing of user-supplied input to the commercial “endpoint” module. This initial entry point was then chained with several other steps to ultimately gain potentially root-level access on the target systems, which can lead to an authentication bypass in the FreePBX Administrator control panel.

The vulnerability affects FreePBX versions 15, 16, and 17, specifically those with the Endpoint module installed and the Administrator Control Panel exposed to the internet via ports 80 or 443.

Successful exploitation of this vulnerability can have severe consequences, including:

• Privilege Escalation: Attackers can gain elevated privileges on the system, potentially leading to root-level access.
• Remote Command Execution: Arbitrary commands can be executed under the web server user, giving attackers control over the system.
• Malicious Activities: Attackers have been observed deploying cleanup scripts to hide their tracks, installing persistent backdoors for long-term access, and stealing sensitive call detail records.

Administrators should immediately inspect their systems for the following signs of a compromise:

• The presence of a malicious “.clean.sh” file in the /var/www/html directory.
• Recent modifications to or the absence of the /etc/freepbx.conf file.
• Suspicious POST requests to modular.php in web server logs, with activity traced back to at least August 21, 2025.
• Unusual calls to extension 9998 in Asterisk call logs.
• The presence of unexpected “ampuser” entries in the MariaDB ampusers table or other unknown users.

The Sangoma FreePBX Security Team strongly advises administrators to take the following actions to mitigate the risks:

• Apply Updates: FreePBX users on v15 should upgrade to version 15.0.66, v16 users should upgrade to 16.0.89, and v17 administrators should upgrade to 17.0.3.
• Disable Public Internet Access: Immediately remove public access to FreePBX administration interfaces.Restrict Access to Trusted IPs: Utilize the FreePBX Firewall module to limit access to the Administrator Control Panel to only known and trusted IP addresses.
• Use a VPN or Isolated VLAN: For enhanced security, place the PBX behind a VPN or within an isolated management VLAN.
• Restore from a Clean Backup: If any IOCs are found, it is crucial to revert to a known clean backup from before the suspected compromise.
• Rotate Credentials: Immediately change all credentials, including SIP trunks and voicemail PINs.

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.