"Sangoma said an unauthorized user began accessing multiple FreePBX version 16 and 17 systems connected to the internet starting on or before August 21, 2025, specifically those that have inadequate IP filtering or access control lists (ACLs), by taking advantage of a sanitization issue in the processing of user-supplied input to the commercial "endpoint" module. The initial access obtained using this method was then combined with other steps to potentially gain root-level access on the target hosts, it added."
"In light of active exploitation, users are advised to upgrade to the latest supported versions of FreePBX and restrict public access to the administrator control panel. Users are also advised to scan their environments for the following indicators of compromise (IoCs) - File "/etc/freepbx.conf" recently modified or missing Presence of the file "/var/www/html/.clean.sh" (this file should not exist on normal systems) Suspicious POST requests to "modular.php" in Apache web server logs dating back to at"
A zero-day vulnerability, CVE-2025-57819, in FreePBX allows insufficiently sanitized user input to grant unauthenticated access to the Administrator interface, enabling arbitrary database manipulation and remote code execution. The issue affects FreePBX 15 prior to 15.0.66, 16 prior to 16.0.89, and 17 prior to 17.0.3. Unauthorized actors began accessing multiple internet-connected FreePBX 16 and 17 systems on or before August 21, 2025, exploiting a sanitization flaw in the commercial "endpoint" module when IP filtering or ACLs were inadequate. Initial access has been combined with additional steps to potentially achieve root on hosts. Operators must upgrade, restrict ACP exposure, and scan for specific IoCs.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]