CRITICAL Zero-Day CVE-2025-57819 in FreePBX Is Under Active Attack (CVSS 10.0)

The Sangoma FreePBX Security Team has issued a critical advisory for a newly discovered vulnerability in its popular open-source telephony platform. Tracked as CVE-2025-57819 with a maximum CVSSv4 score of 10.0, the flaw allows unauthenticated attackers to bypass login protections, manipulate the database, and achieve remote code execution (RCE).

According to the advisory, “insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.”

Exploitation has already been observed in the wild. The report explains: “Starting on or before August 21st, 2025, an unauthorized user began accessing multiple FreePBX version 16 and 17 systems that were connected directly to the public internet… by exploiting a validation/sanitization error in the processing of user-supplied input to the commercial ‘endpoint’ module.”

Once access was gained, attackers chained several steps to escalate privileges, in some cases achieving root-level control over the target systems.

The vulnerability affects all supported versions of FreePBX (15, 16, and 17), with EOL versions untested but likely exposed. This means thousands of internet-exposed PBX systems worldwide could be compromised, allowing adversaries to:

• Take full control of the PBX server.
• Intercept or reroute calls.
• Steal sensitive configuration data and credentials.
• Deploy additional malware or pivot deeper into corporate networks.

The FreePBX Security Team urges immediate upgrades:

• Patched Versions:
  • FreePBX 15 → 15.0.66
  • FreePBX 16 → 16.0.89
  • FreePBX 17 → 17.0.3

Administrators can update modules via the web interface (Admin → Module Admin) or from the command line:

fwconsole ma upgradeall
fwconsole ma list | grep endpoint

Systems not set for automatic updates should be patched manually as soon as possible.

In addition, the advisory stresses the importance of network-level restrictions: Users should limit access to the FreePBX Administrator by using the Firewall module to limit access to only known trusted hosts.

Administrators are advised to check their systems for the following red flags:

• /etc/freepbx.conf recently modified or missing.
• Presence of /var/www/html/.clean.sh (not normal on healthy systems).
• POST requests to modular.php in web logs.
• Calls to extension 9998 in call logs/CDRs without prior configuration.
• Unknown or suspicious users in the ampusers database table.

CVE-2025-57819 is one of the most serious vulnerabilities to date in FreePBX, with a maximun CVSS score of 10.0 and evidence of active exploitation. Organizations relying on FreePBX must patch immediately, review logs for compromise indicators, and restrict administrative access to trusted hosts only.

Related Posts:

• High-Severity Privilege Escalation Threat Hits Atlassian Jira Data Center
• FormBook Returns: Exploiting CVE-2017-0199 via Malicious Excel Attachments in New Phishing Campaign
• Critical Flaw (CVSS 9.8) in Ubiquiti UniFi Access Devices Allows RCE

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy