The Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet.
FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It's built on top of Asterisk, an open-source communication server.
The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity.
"Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory.
The issue impacts the following versions -
- FreePBX 15 prior to 15.0.66
- FreePBX 16 prior to 16.0.89, and
- FreePBX 17 prior to 17.0.3
Sangoma said an unauthorized user began accessing multiple FreePBX version 16 and 17 systems connected to the internet starting on or before August 21, 2025, specifically those that have inadequate IP filtering or access control lists (ACLs), by taking advantage of a sanitization issue in the processing of user-supplied input to the commercial "endpoint" module.
The initial access obtained using this method was then combined with other steps to potentially gain root-level access on the target hosts, it added.
In light of active exploitation, users are advised to upgrade to the latest supported versions of FreePBX and restrict public access to the administrator control panel. Users are also advised to scan their environments for the following indicators of compromise (IoCs) -
- File "/etc/freepbx.conf" recently modified or missing
- Presence of the file "/var/www/html/.clean.sh" (this file should not exist on normal systems)
- Suspicious POST requests to "modular.php" in Apache web server logs dating back to at least August 21, 2025
- Phone calls placed to extension 9998 in Asterisk call logs and CDRs are unusual (unless previously configured)
- Suspicious "ampuser" user in the ampusers database table or other unknown users
"We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News.
"While it's early, FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. Disconnect systems immediately. Delays will only increase the blast radius."
