Researchers have discovered a zero-day vulnerability in Sangoma FreePBX, identified as CVE-2025-57819. This flaw allows unauthenticated remote attackers to take control of affected PBX systems, potentially resulting in remote code execution (RCE), arbitrary database manipulation, and full system compromise. Review this Cybersecurity Threat Advisory to learn how to reduce your exposure and protect your systems against this threat.
What is the threat?
CVE-2025-57819 is caused by insufficiently sanitized user-supplied input and allows unauthenticated attackers to bypass authentication to the FreePBX Administrator interface, enabling arbitrary database manipulation and RCE with administrative privileges. Active exploitation has been observed in the wild since at least late August 2025, with attackers able to fully compromise impacted PBX systems and execute malicious commands. Successful exploitation can lead to complete system takeover, disruption of telephony services, and potential further compromise of connected infrastructure.
Why is it noteworthy?
This threat is particularly concerning because it targets Sangoma FreePBX, a widely adopted open-source platform for managing business-critical voice communications. The vulnerability has been actively exploited in the wild. Given the central role of PBX servers in enterprise environments, such compromise can lead to severe operational disruption and data exposure.
What is the exposure or risk?
This vulnerability is significant due to the widespread deployment of Sangoma FreePBX across enterprise environments. The flaw impacts the following:
- FreePBX 15 prior to 15.0.66
- FreePBX 16 prior to 16.0.89
- FreePBX 17 prior to 17.0.3
Organizations are strongly urged to apply the latest patches.
What are the recommendations?
Barracuda recommends the following actions to mitigate your risk:
- Upgrade to the latest supported versions of FreePBX
- Restrict public access to the FreePBX Administrator control panel to trusted networks only.
- Check for indicators of compromise, including:
- unexpected files /etc/freepbx.conf (should exist),
- unexpected file /var/www/html/.clean.sh (should not exist),
- web logs showing POST requests to modular.php
- Asterisk logs/CDRs showing calls to extension 9998
- unknown or suspicious entries in the amp users database table.
- Monitor system and web server logs for suspicious activity, including unexpected database changes or unauthorized login attempts.
- Create an incident response plan for FreePBX-related threats, including procedures for isolating compromised servers, collecting forensic evidence, validating system integrity, and restoring clean backups.
- Train operational and security staff on detection methods, patching procedures, and emergency response actions specific to this vulnerability.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html
- https://www.cve.org/CVERecord?id=CVE-2025-57819
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
