Sangoma Technologies has confirmed in-the-wild exploitation of a critical zero‑day in FreePBX, the open-source PBX platform built on Asterisk and widely used by enterprises, contact centers, and telecom providers. Tracked as CVE-2025-57819 and rated CVSS 10.0, the flaw is being leveraged against systems where the administrative interface is exposed to the public internet.
FreePBX vulnerability under active attack
According to Sangoma’s security team, attacks began on 21 August 2025, targeting publicly reachable FreePBX admin panels. At its core, the issue stems from insufficient input sanitization combined with logic flaws in authentication, enabling admin bypass, database manipulation, and ultimately remote code execution (RCE).
Impacted versions and exposure risk
Exploitation has been observed against FreePBX 16 and 17, particularly instances with externally accessible admin panels. Sangoma has pushed emergency updates to the EDGE channel and issued rapid patches for affected modules. Organizations are urged to restrict administrative access to trusted IP addresses only.
Technical analysis: from auth bypass to RCE
The flaw leverages a combination of unvalidated user input and authorization logic errors to grant unauthorized access to the admin UI. With this foothold, attackers can alter PBX configuration, create or replace user accounts, modify SIP trunks and call routes, and in many cases execute arbitrary commands as the asterisk service account, with plausible privilege escalation to root on misconfigured or unpatched hosts.
Practically, this chain opens the door to toll fraud (unauthorized billable calls), mass compromise of SIP extensions, disruption of telephony services, leakage of call detail records (CDR) and logs, and lateral movement inside the network. For voice‑dependent organizations, PBX downtime and fraudulent calling translate directly into financial losses and reputational damage.
Business impact: real-world signals
Sangoma’s advisory aligns with early community reports. One FreePBX forum post described an intrusion affecting roughly 3,000 SIP extensions and 500 trunks, forcing a full shutdown of administrative access and recovery operations. A separate Reddit report noted command execution as the asterisk user, which simplifies progression to broader system compromise.
Patch guidance and immediate mitigations
Update now: Apply the latest FreePBX core and module patches via Module Admin without delay. If you use the EDGE channel, ensure the emergency updates are installed and then move to stable when advised by Sangoma.
Restrict access: Do not expose the admin panel to the internet. Enforce a firewall allowlist for trusted IPs or segments, and place admin access behind a VPN. Remove any public port forwarding to the UI.
Interim hardening recommendations
Introduce HTTP Basic Auth in front of the admin panel, proxy access through a hardened reverse proxy, consider GeoIP restrictions, and enable anomaly monitoring. Reduce attack surface by disabling unused modules, removing guest/deprecated accounts, enforcing least privilege, and maintaining regular, tested configuration backups.
Indicators of compromise and triage checklist
For internet‑exposed panels, perform expedited incident assessment. Review: web server logs (/var/log/httpd/* or /var/log/nginx/*) for suspicious POSTs to admin endpoints and unusual IPs; Asterisk logs (/var/log/asterisk/full) for anomalous commands and config changes; unexpected edits to SIP trunks/routes and spikes in outbound calls; new admin users, permission changes, cron modifications, and new/altered PHP files under FreePBX web directories; and outbound connections from the PBX host to unknown IPs.
Where compromise is suspected, isolate the PBX, preserve logs for forensics, rotate credentials (including SIP and admin accounts), validate configuration integrity, and restore from trusted, offline backups after a clean rebuild.
Exposed PBX admin interfaces remain a high‑value target. The active exploitation of CVE-2025-57819 reinforces a long‑standing best practice: never publish your FreePBX admin panel to the internet. Patch immediately, lock down access behind VPN and allowlists, monitor for abnormal call patterns, and ensure an incident response plan is ready to execute. Proactive hardening today prevents costly toll fraud and service disruption tomorrow.
