Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts warn of actively exploited FreePBX zero-day

Sangoma warns of an actively exploited FreePBX zero-day affecting systems with publicly exposed admin control panels. The Sangoma FreePBX Security Team addressed an actively exploited FreePBX zero-day vulnerability, tracked as CVE-2025-57819 (CVSS score of 10.0), impacting systems with an internet-facing administrator control panel (ACP). FreePBX is an open-source telephony software platform that provides a web-based graphical […]

FreePBX

Sangoma warns of an actively exploited FreePBX zero-day affecting systems with publicly exposed admin control panels.

The Sangoma FreePBX Security Team addressed an actively exploited FreePBX zero-day vulnerability, tracked as CVE-2025-57819 (CVSS score of 10.0), impacting systems with an internet-facing administrator control panel (ACP).

FreePBX is an open-source telephony software platform that provides a web-based graphical interface for managing Asterisk, the most widely used open-source PBX (Private Branch Exchange).

With FreePBX, organizations can set up and manage features like:

  • VoIP (Voice over IP) calls
  • Call routing and extensions
  • Voicemail, call recording, and conferencing
  • Interactive Voice Response (IVR) menus
  • Integration with SIP trunks and phones

Essentially, it turns a standard server (or cloud instance) into a fully functional business phone system.

The root cause of the issue is insufficiently sanitized user-supplied data, which allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution.

Project administrators revealed that an attacker exploited a flaw in FreePBX v16–17’s “endpoint” module on exposed systems, chaining it with other steps to gain possible root access.

“Starting on or before August 21st, 2025, an unauthorized user began accessing multiple FreePBX version 16 and 17 systems that were connected directly to the public internet — systems with inadequate IP filtering/ACLs — by exploiting a validation/sanitization error in the processing of user-supplied input to the commercial “endpoint” module.” reads the advisory. “This initial entry point was then chained with several other steps to ultimately gain potentially root level access on the target systems.”

The vulnerability impacts:

  • FreePBX 15 prior to 15.0.66
  • FreePBX 16 prior to 16.0.89, and
  • FreePBX 17 prior to 17.0.3

Users are urged to update FreePBX, restrict public ACP access, and check for IoCs, including:

  • File /etc/freepbx.conf recently modified or missing
  • File /var/www/html/.clean.sh should not exist on normal systems
  • POST requests to modular.php in web server logs likely not legitimate traffic
  • Phone calls placed to extension 9998 in call logs and CDRs are unusual – unless previously configured
  • Suspicious ampuser user in the ampusers database table or other unknown users

According to Netlas researchers, most of the potentially vulnerable systems are in the US, followed by Russia and Germany.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)