Full Report
The Sangoma FreePBX Security Team is warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with the Administrator Control Panel (ACP) is exposed to the internet. [...]
Analysis Summary
# Vulnerability: Actively Exploited FreePBX Zero-Day Allowing Command Execution
## CVE Details
- CVE ID: Not explicitly provided in the article.
- CVSS Score: Not explicitly provided in the article.
- CWE: Not explicitly provided in the article, but context suggests potential Command Injection or Unauthorized File Upload vulnerability due to remote command execution capability.
## Affected Systems
- Products: FreePBX (Versions 16 and 17), PBXAct (Versions 16 and 17).
- Versions: FreePBX 16, FreePBX 17, PBXAct 16, PBXAct 17.
- Configurations: Systems must have the **Endpoint Module** installed AND the FreePBX **Administrator Control Panel (ACP)** must be directly exposed to the public internet.
## Vulnerability Description
A zero-day vulnerability existed in FreePBX systems, specifically when the Administrator Control Panel (ACP) was exposed publicly and the Endpoint Module was installed. Successful exploitation allows an attacker to run arbitrary commands with the privileges of the `asterisk` user on the affected server.
## Exploitation
- Status: **Exploited in the wild** (Active exploitation observed since at least August 21, 2025).
- Complexity: Implied **Low** to **Medium** due to widespread successful exploitation.
- Attack Vector: **Network** (Requires public exposure of the ACP).
## Impact
The impact is severe as it allows remote code execution:
- Confidentiality: **High** (System access allows reading/exfiltrating sensitive configuration and call data).
- Integrity: **High** (System files can be modified, and arbitrary commands executed).
- Availability: **High** (Systems have been compromised, leading to disruption and resource misuse).
## Remediation
### Patches
Emergency fixes were released via the Endpoint module:
* **General FreePBX v16/v17 (EDGE Fix):**
`$ fwconsole ma downloadinstall endpoint --edge`
* **PBXAct v16:**
`$ fwconsole ma downloadinstall endpoint --tag 16.0.88.19`
* **PBXAct v17:**
`$ fwconsole ma downloadinstall endpoint --tag 17.0.2.31`
* A standard, non-edge security release was scheduled for later the same day the advisory was published.
### Workarounds
1. **Restrict Firewall Access Immediately:** Use the Firewall module to limit access to the FreePBX Administrator login page to **only known trusted IP addresses/hosts**.
2. If unable to install the EDGE module (e.g., due to an expired support contract), **block all public access** to the ACP immediately until the full security update is deployed.
3. If compromised, restore systems from backups taken *prior to August 21, 2025*.
4. Rotate **all system and SIP-related credentials.**
## Detection
Indicators of Compromise (IOCs) observed on exploited systems:
* **File System:**
* Missing or modified `/etc/freepbx.conf` configuration file.
* Presence of the suspicious shell script: `/var/www/html/.clean.sh`.
* **Application Logs:**
* Suspicious entries in Apache logs referencing `modular.php`.
* Unusual calls to extension **9998** in Asterisk logs dating back to August 21.
* **Database:**
* Unauthorized entries in the `ampusers` table (MariaDB/MySQL), specifically looking for a suspicious username listed in the far-left column labeled "**ampuser**".
* Review call records and phone bills for signs of abuse, such as unauthorized international traffic.
## References
- Vendor Advisory/Forum Post: community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
- Customer Reports/Technical Detail: d.reddit.com/r/freepbx/comments/1n0qi07/comment/nax9vvx/