FreePBX Zero-Day Exploit Hits Servers, Emergency Patch Released

By /
freepbx

The Sangoma FreePBX Security Team has issued an urgent warning about a dangerous zero-day vulnerability in FreePBX. Attackers are already exploiting this flaw in the Administrator Control Panel (ACP) when it is exposed to the public internet. A temporary fix has been released, and a permanent security update is on the way.

FreePBX is a popular open-source PBX (Private Branch Exchange) platform built on top of Asterisk. It is widely used by businesses, call centers, and telecom service providers to manage internal and external voice communications, SIP trunks, extensions, and call routing. Because of its large user base and critical role in business communications, FreePBX servers are an attractive target for cybercriminals.

On August 21, 2025, Sangoma discovered that hackers were using a previously unknown vulnerability (zero-day) in the FreePBX Administrator panel. If the ACP was directly accessible from the internet, attackers could exploit it to take control of affected systems.

In a post on the FreePBX forums, the Sangoma security team said:

“We are aware of a potential exploit affecting systems with the administrator control panel exposed to the public internet. A fix is being prepared and will be deployed within the next 36 hours.”

The team advised all administrators to limit access to the ACP using the built-in Firewall module, restricting logins only to trusted IP addresses.

To contain the damage, Sangoma released an EDGE module fix for testing. However, the company stressed that this is only a preventive measure for future installations, not a cure for already infected systems.

Chris Maj from Sangoma explained:

  • FreePBX versions 16 and 17 may already be compromised if:

    1. The endpoint module was installed.

    2. The Administrator login page was exposed to the internet.

System administrators who want to apply the EDGE release can run the following commands:

For FreePBX v16/v17:

 fwconsole ma downloadinstall endpoint –edge

For PBXAct v16:

fwconsole ma downloadinstall endpoint –tag 16.0.88.19

For PBXAct v17:

fwconsole ma downloadinstall endpoint –tag 17.0.2.31

Important: Some users reported that if their support contract has expired, they might not be able to install the EDGE module. In that case, administrators are strongly advised to block access to ACP until the final security patch is released.

The zero-day is not just theoretical—multiple organizations confirmed their FreePBX servers were hacked.

  • One customer reported that the attackers compromised 3,000 SIP extensions and 500 trunks across their infrastructure.

  • Another user on Reddit said:

    “My personal PBX was affected as well as one I help manage. The exploit allows attackers to run any command that the Asterisk user can execute.”

This means the vulnerability can give attackers deep access to systems, potentially allowing them to steal data, disrupt calls, or reroute phone traffic for fraud.

zero day

Sangoma has not revealed the full technical details of the vulnerability but has shared signs administrators can check to determine if their servers were hacked:

  • Missing or modified /etc/freepbx.conf file.

  • Presence of a suspicious /var/www/html/.clean.sh shell script.

  • Strange Apache log entries involving modular.php.

  • Unusual call activity to extension 9998 in Asterisk logs dating back to August 21.

  • Unauthorized entries in the ampusers table of MariaDB/MySQL, especially a suspicious username “ampuser.”

If any of these IOCs are present, the system is likely compromised.

Sangoma recommends the following steps if a system is suspected to be hacked:

  1. Restore from a backup created before August 21.

  2. Deploy the patched modules on a clean installation.

  3. Change all passwords and rotate system as well as SIP credentials.

  4. Check call records and bills for unauthorized international calls, which are a common sign of telecom fraud.

  5. Restrict ACP access to trusted IPs only until the full fix is available.

FreePBX is a backbone communication system for thousands of businesses worldwide. A compromised PBX can lead to:

  • Financial loss through unauthorized international calls.

  • Service disruption, affecting call centers and customer support.

  • Data exposure, as attackers could gain access to call logs, customer records, or internal communications.

With voice communication infrastructure under attack, organizations must treat this as a critical security incident and act immediately.

The FreePBX zero-day vulnerability shows how dangerous it is to expose administrative panels directly to the internet. Even trusted platforms like FreePBX can be targeted by hackers, and once a system is breached, the damage can be severe.

For now, FreePBX administrators should:

  • Apply the EDGE fix if possible.

  • Block ACP access from untrusted networks.

  • Prepare for a full patch rollout later today.

Cyberattacks on communication systems are becoming more frequent, and proactive measures—like patch management, firewall configuration, and strong access controls—are the only way to stay ahead.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : Salesforce Data Breach: Salesloft OAuth Exploit via Drift AI App

1 thought on “FreePBX Zero-Day Exploit Hits Servers, Emergency Patch Released”

  1. Pingback: WhatsApp Security Alert: Critical iOS and macOS Bug Fixed (CVE-2025-55177)

Comments are closed.

Scroll to Top