URGENT: Sangoma FreePBX Warns of Exploit, Urges Immediate Administrator Lockdown

The Sangoma FreePBX Security Team has issued an urgent security advisory after discovering a potential exploit targeting systems with their Administrator Control Panel (ACP) exposed to the public internet. Administrators are urged to take immediate precautions while a permanent fix is being finalized.

According to the advisory, “The Sangoma FreePBX Security Team is aware of a potential exploit affecting some systems with the administrator control panel exposed to the public internet, and we are working on a fix, with expected deployment within the next 36 hours.”

Attackers can exploit this exposure to compromise FreePBX or PBXAct systems. The advisory emphasizes that users should “limit access to the FreePBX Administrator by using the Firewall module to limit access to only known trusted hosts.”

While the full security release is in progress, Sangoma has provided an EDGE module update for testing.

• For FreePBX v16 or v17: fwconsole ma downloadinstall endpoint –edge
• For PBXAct v16: fwconsole ma downloadinstall endpoint –tag 16.0.88.19
• For PBXAct v17: fwconsole ma downloadinstall endpoint –tag 17.0.2.31

The team noted: “please note that this has not gone through full normal QA, but we will be doing so ASAP and including as part of normal security release.”

Administrators are strongly advised to check for signs of compromise. The advisory outlines a minimum infection detection checklist, including:

• Confirming /etc/freepbx.conf still exists.
• Looking for a suspicious leftover script: /var/www/html/.clean.sh.
• Searching Apache logs for POST requests to modular.php.
• Checking Asterisk logs for calls to extension 9998.
• Reviewing MariaDB/MySQL ampusers tables for unknown accounts.

If compromise is detected, administrators are urged to stay calm and follow Sangoma’s restoration or cleanup procedures.

Sangoma advises preserving backups from before August 21st, reinstalling a clean system with proper firewalling and the updated endpoint module, and then restoring data. They stress that all credentials should be rotated: “Rotate all passwords, including but not limited to: system, SIP trunks, users, extensions, voicemail, UCP, etc.”

Even if no infection is found, the team recommends reviewing call detail records and bills for signs of fraud—particularly international calling abuse.

Related Posts:

• Unpatched Telecom Flaws (CVSS 9.8) Enable Remote Code Execution: Critical Buffer Overflows Expose Core Infrastructure
• Microsoft Signals End of an Era: Control Panel to be Phased Out
• Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy