Developers at Sangoma Technologies Corporation have warned about an actively exploited 0-day vulnerability in FreePBX that affects systems with the administration panel exposed to the internet.
FreePBX is an open-source PBX (Private Branch Exchange) platform built on top of Asterisk, widely used by businesses, call centers, and service providers to manage voice communications, internal extensions, SIP trunks, and call routing.
The Sangoma FreePBX security team warns that since August 21, 2025, hackers have been exploiting a zero-day vulnerability in remotely accessible administration panels.
“The Sangoma FreePBX security team has become aware of a potential exploit affecting some systems where the administration panel is exposed to public access over the internet. We are working on a fix, which is expected to be deployed within the next 36 hours,” the developers originally wrote. “Users are advised to restrict administrative access to FreePBX by using the Firewall module to limit access to known and trusted hosts only.”
The vulnerability at the root of these attacks has been assigned the identifier CVE-2025-57819 (10 out of 10 on the CVSS scale).
“Insufficient sanitization of user-supplied data allows unauthorized access to the FreePBX Administrator, which can lead to arbitrary database manipulation and remote code execution,” the developers explained.
The issue affects the following versions:
- FreePBX 15 up to version 15.0.66;
- FreePBX 16 up to version 16.0.89;
- FreePBX 17 up to version 17.0.3.
As a result, an emergency fix for the EDGE module was released, followed by urgent patches.
According to Sangoma, on August 21 unauthorized attackers began exploiting CVE-2025-57819 in FreePBX versions 16 and 17. After gaining initial access, the attackers attempted to obtain root privileges on the targeted hosts.
Users are advised to update FreePBX to the latest supported versions as soon as possible and to restrict public access to the administrative control panel.
It is also recommended to scan the environment for the following indicators of compromise:
- the /etc/freepbx.conf file was recently modified or is missing;
- the presence of the /var/www/html/.clean.sh file (this file should not exist on normal systems);
- suspicious POST requests to modular.php, which can be found in the Apache web server logs;
- calls to number 9998 in the call logs and Asterisk CDR;
- a suspicious ampuser account in the ampusers database, or other unknown users.
Currently, many FreePBX customers have reported that their servers were compromised through this vulnerability.
“Several servers in our infrastructure were compromised, and the attack affected roughly 3,000 SIP extensions and 500 trunks,” one customer writes on the project forums. “As part of our incident response, we locked down all administrative access and restored the systems to their previous state.”
“Yes, my personal PBX was affected too, as was another one I help manage. The exploit essentially allows an attacker to execute any command that the asterisk user is permitted to run,” writes another affected user on Reddit.