Critical Vulnerability in FreeBPX (CVE-2025-57819)

Executive Summary

On August 28^th, open-source software organization FreePBX published an advisory detailing a critical vulnerability in their telephone software system FreePBX.

Sangoma’s FreePBX security team reported active exploitation against systems that expose FreePBX administrative modules to the public internet. The vulnerability tracked as CVE-2025-57819, is a validation and sanitization bug in their “endpoint” module that could result in unauthenticated Remote Code Execution (RCE) on an affected FreePBX system.

Successful compromise of FreePBX management interfaces can provide threat actors initial access to an organizations internal network. Third party security teams have also reported discovery of several hundred instances of this software that appear to be compromised at time of this writing.

FreePBX has published official updates, and Beazley Security recommends affected organizations apply security patches as soon as possible.

Affected Systems or Products

Products	Affected	Unaffected
endpoint (FreePBX 15)	< 15.0.66	15.0.66
endpoint (FreePBX 15)	< 16.0.89	16.0.89
endpoint (FreePBX 15)	< 17.0.3	17.0.3

‍

Mitigations / Workarounds

If security fixes cannot be immediately applied, users should disconnect their affected systems from the internet until the updates can be deployed. It is recommended to only allow trusted network access to the Administrator interfaces via its built-in firewall module. The FreePBX firewall documentation can be found here to facilitate filtering.

Patches

The FreePBX organization has provided security patches via their normal automatic upgrade system. There is also a manual upgrade process via either the Administrator Control Panel menu by browsing to Admin -> Module Admin or running command line option below:

$ fwconsole ma upgradeall

Regardless of the upgrade method, users should verify that the “endpoint” module is an unaffected version. Please reference the “Affected Systems and Products” table above.

Indicators of Compromise

The FreePBX security team provided several Indicators of Compromise (IoCs) summarized below.

File /etc/freepbx.conf recently modified or missing
File /var/www/html/.clean.sh is malicious
Suspicious HTTP POST requests to modular.php‍
Suspicious phone calls to extension 9998‍
Suspicious users (particularly the username ‘ampuser’) addled to the ampusers database

Technical Details

Flaws in the endpoint manager module could allow unauthenticated access to management functions on the system, leading to SQL injection. There is no concise writeup of the actual vulnerability at time of writing, only troubleshooting messages and issue reports on the FreePBX website and forum. The FreePBX team indicate that once the vulnerability is used, threat actors “chained” the vulnerability “with several other steps” to fully compromise targets, indicating the attack chain could be complex.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team