Article Details
Scrape Timestamp (UTC): 2025-08-29 09:47:42.399
Source: https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html
Original Article Text
Click to Toggle View
FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available. The Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet. FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It's built on top of Asterisk, an open-source communication server. The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. The issue impacts the following versions - Sangoma said an unauthorized user began accessing multiple FreePBX version 16 and 17 systems connected to the internet starting on or before August 21, 2025, specifically those that have inadequate IP filtering or access control lists (ACLs), by taking advantage of a sanitization issue in the processing of user-supplied input to the commercial "endpoint" module. The initial access obtained using this method was then combined with other steps to potentially gain root-level access on the target hosts, it added. In light of active exploitation, users are advised to upgrade to the latest supported versions of FreePBX and restrict public access to the administrator control panel. Users are also advised to scan their environments for the following indicators of compromise (IoCs) - "We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News. "While it's early, FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. Disconnect systems immediately. Delays will only increase the blast radius."
Daily Brief Summary
Sangoma's FreePBX platform faces a zero-day vulnerability, CVE-2025-57819, allowing unauthorized database manipulation and remote code execution through exposed administrator control panels.
The flaw, rated with a CVSS score of 10.0, affects versions 16 and 17, particularly those lacking robust IP filtering or access control lists.
Exploitation has been active since August 21, 2025, with attackers potentially escalating privileges to root-level access on compromised systems.
Sangoma urges users to upgrade to the latest FreePBX versions and restrict public access to the administrator control panel to mitigate risks.
Organizations are advised to scan for indicators of compromise and disconnect affected systems immediately to limit potential damage.
This vulnerability highlights the persistent threat to PBX platforms, often targeted by ransomware gangs and fraud groups for unauthorized billing activities.
Proactive measures and timely patching are critical to safeguarding communication infrastructures against such severe vulnerabilities.