The Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet.
FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It's built on top of Asterisk, an open-source communication server.
The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity.
"Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory.
The issue impacts the following versions -
- FreePBX 15 prior to 15.0.66
- FreePBX 16 prior to 16.0.89, and
- FreePBX 17 prior to 17.0.3
Sangoma said an unauthorized user began accessing multiple FreePBX version 16 and 17 systems connected to the internet starting on or before August 21, 2025, specifically those that have inadequate IP filtering or access control lists (ACLs), by taking advantage of a sanitization issue in the processing of user-supplied input to the commercial "endpoint" module.
The initial access obtained using this method was then combined with other steps to potentially gain root-level access on the target hosts, it added.
In light of active exploitation, users are advised to upgrade to the latest supported versions of FreePBX and restrict public access to the administrator control panel. Users are also advised to scan their environments for the following indicators of compromise (IoCs) -
- File "/etc/freepbx.conf" recently modified or missing
- Presence of the file "/var/www/html/.clean.sh" (this file should not exist on normal systems)
- Suspicious POST requests to "modular.php" in Apache web server logs dating back to at least August 21, 2025
- Phone calls placed to extension 9998 in Asterisk call logs and CDRs are unusual (unless previously configured)
- Suspicious "ampuser" user in the ampusers database table or other unknown users
"We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News.
"While it's early, FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. Disconnect systems immediately. Delays will only increase the blast radius."
CVE-2025-57819 Added to CISA KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added CVE-2025-57819 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by September 19, 2025.
"Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution," the agency said.
Technical Details of CVE-2025-57819 Released
In an analysis released on September 10, 2025, watchTowr Labs said the vulnerability has been used as a conduit to serve web shells and a bash cleanup script ("/var/www/html/.clean.sh") designed to erase evidence after backdoor access.
The cybersecurity company also noted that CVE-2025-57819 stems from the fact that it allows access to certain files ending with ".php" directly without the need for authentication (e.g., "/admin/ajax.php") and combine it with a post-auth SQL Injection in the FreePBX endpoint module.
"The custom FreePBX class loader allows you to include any file ending with the .php extension from the admin/modules location," it noted. "The official patch focuses narrowly on fixing the SQL Injection in the endpoint module. But the bigger issue – this 'authentication bypass' quirk that lets you include .php files pre-auth – sits in the core FreePBX code untouched."
watchTowr said this behavior on fully patched systems exposes a "juicy" attack surface that allows bad actors to directly hit certain module .php files without logging in.
As a next step, the SQL injection could be transformed into a full-blown remote code execution scenario by inserting a malicious row into a table called "cron_jobs" by specifying the command to be executed. In all, an attacker can issue an HTTP request as below to achieve code execution -
GET /admin/ajax.php?module=FreePBX\\modules\\endpoint\\ajax&command=model&template=x&model=model&brand=x'+;INSERT+INTO+cron_jobs+(modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)+VALUES+('sysadmin','watchTowr','id+>+/tmp/watchTowr',NULL,'*+*+*+*+*',30,1,1)+--+ HTTP/1.1
Host: freepbx.lab
(The story was updated after publication on September 12, 2025, with details about the vulnerability.)
