Endpointmanager Aug 2025 zero-day

jfinstrom · August 27, 2025, 1:36am

For those interested I have done a writeup on this based purely on community driven data. I am sure an official postmortem will come soon and supplement or replace the need for this.

gist.github.com

https://gist.github.com/jfinstrom/60011630ed586a79f5b9c78313e0d708#file-freepbx-vulnerability-aug-2026-md

FreePBX-Vulnerability-Aug-2026-tldr-Commands.md

FreePBX Emergency Checklist — Minimal immediate actions (copy/paste for chat/Slack)

1) Isolate
- Immediately block public access to Admin UI (80/443). Example (iptables):
  - iptables -I INPUT -p tcp --dport 443 -s x.x.x.x -j ACCEPT   # allow your admin IP
  - iptables -I INPUT -p tcp --dport 443 -j DROP              # drop all other 443
  - iptables -I INPUT -p tcp --dport 80 -j DROP               # drop HTTP
- If possible: place the PBX behind VPN or on a management VLAN.

2) Confirm Endpoint module presence

This file has been truncated. show original

FreePBX-Vulnerability-Aug-2026.md

# FreePBX Endpoint Zero-Day — incident note, detection & remediation checklist

Status: Active incident. Public reports began ~2025-08-21. Vendor advisory posted 2025-08-26. Limited public disclosure and no CVE at time of writing.

This document consolidates vendor guidance and community reports into an operator-friendly incident response guide. It is intentionally pragmatic: short prioritized actions first, then detection, containment, remediation, forensic guidance and hardening.

Summary (plain language)
- Around 2025-08-21 multiple FreePBX systems began showing errors and later confirmed compromises.
- Vendor (Sangoma/FreePBX Security Team) published an advisory on 2025-08-26 urging administrators to restrict public access to the Administrator Control Panel and offering EDGE module fixes.
- The vulnerability is associated with the commercial Endpoint Manager (Endpoint) and appears to be an unauthenticated privilege escalation/RCE that can be exploited when the Administrator UI is exposed to hostile networks.

This file has been truncated. show original

data-collector.sh

#!/usr/bin/env bash
# collect_forensics_freepbx.sh
# Guarded forensic artifact collection for FreePBX incidents.
# PURPOSE: copy timestamps and preserve ownership/permissions of key artifacts into a single destination for offline review.
# SAFETY: script WILL NOT run unless run as root, a destination directory is provided, and --confirm is passed.
# USAGE: ./collect_forensics_freepbx.sh --dest /secure/location --confirm
# DO NOT RUN this script unless you intend to collect artifacts on the target host.

set -euo pipefail

This file has been truncated. show original

Within that gist:

Any non-code text files are licensed under Creative Commons Attribution (CC BY 4.0).
The forensic collection script included within is provided under the Affero GPL v3 (AGPLv3).

GSnover · August 27, 2025, 11:27pm

Quick Question - I had one Client open the Admin Interface to the Internet, and their box got boned, but I had a Vultr backup image from 2 weeks before, and I restored that, applied the Edge Endpoint, and then closed the Firewall to everything except trusted Networks/IP’s.

Everything works like it should, but Fail2Ban is showing not running in the GUI, but it is running when you do a systemctl status fail2ban:

Any idea why this is showing?

jfinstrom · August 28, 2025, 5:56pm

The code that checks that is in sysadmin (obfuscated) and is likely a hook because the systemctl (or they may be running service… ) requires escalated privileges. make sure sysadmin shows signed and not tampered. Also make sure you have the latest deb/rpm package installed.

ccampbell · August 28, 2025, 7:17pm

Removing post. Authoritative information in the github link directly below.

gregarican · August 28, 2025, 7:26pm

Here was the official GitHub link to this specific issue → Authentication Bypass Leading to SQL Injection and RCE · Advisory · FreePBX/security-reporting · GitHub

penguinpbx · August 28, 2025, 7:55pm

Also, there’s more discussion in the main FreePBX forum topic, including corner-case coverage: Security Advisory: Please Lock Down Your Administrator Access.