The Sangoma FreePBX Security Team is aware of a potential exploit affecting some systems with the administrator control panel exposed to the public internet. AUG. 28 GOOD NEWS: FIX IS NOW DEPLOYED IN STABLE REPOS FOR AFFECTED SUPPORTED VERSIONS, INCLUDING ALL RELEASES OF ENDPOINT MODULE IN 15, 16 & 17. PLEASE UPDATE! Users are advised to limit access to the FreePBX Administrator by using the Firewall module to limit access to only known trusted hosts.
UPDATE 2025-09-09T16:13:00Z
Trimmed opening paragraph and re-pinned globally for the rest of September.
UPDATE 2025-08-29T19:39:00Z
Organized to put the most recent updates at the top. Link to full thread at the bottom (scroll down.)
UPDATE 2025-08-28T16:46:00Z
Published Fix Now in STABLE Following Successful QA
Please immediately update all supported systems (15, 16 and 17) using normal/stable FreePBX update methods â via the Administrator Control Panel menu Admin â Module Admin or via generic command line method:
As root: $ fwconsole ma upgradeall
Or sudo: $ sudo fwconsole ma upgradeall
âŚand take time to review GitHub Security Advisory GHSA-m42g-xg4c-5f3h for details on CVE-2025-57819, a critical vulnerability affecting the âendpointâ module in all supported versions of FreePBX (15, 16 and 17).
Users should check their automated security updates are active â especially those reading this later who were unaware of the update. We are aware of a current issue in the v17 âframeworkâ module that may prevent automated update notification emails.
Also note that the infection detection checklist step 5 as posted yesterday may need expansion to more files, depending on your logging environment e.g. note the additional asterisk character below:
$ zgrep modular.php /var/log/{httpd,apache2}/*access*
UPDATE 2025-08-27T16:42:00Z
We are still on schedule for normal security release in appx. 12 hours.
Immediate Actions
Users should continue to take the following immediate steps â as posted previously, but with some minor refinement:
- Determine if your FreePBX/PBXAct system is exposed to the public internet. Activate firewalls if not the case e.g. configure the FreePBX Firewall module. Lock it down to only your IP address. Disallow the Internet/External zone access to the Web Management interfaces. Check access from another device e.g. your cell phone disconnected from local wifi.
- Upgrade to the latest versions of the endpoint module (if it was installed on your system.) See previous UPDATE from yesterday for commands OR if you read this after the endpoint module moves from EDGE to STABLE then perform normal module update (or at least confirm that any automatic update to the latest module version was successful via Admin â Module Admin menu.)
Note: If step 2 does not work, then renew all your commercial module licenses via the Sangoma Portal and try again.
If âendpointâ is NOT installed, then your system is probably NOT at risk of infection - but do please read on!
Users of FreePBX versions from before v16 are encouraged to continue reading as well - affected version histories are still being internally investigated ahead of the CVE publication.
Minimum Infection Detection Check List
Thereâs been excellent community discussion on the forums regarding the next steps - thank you to all for contributing! The Sangoma FreePBX Security Team recommendation is currently the following minimum check list:
- Visit your FreePBX Administrator web interface - is it broken ? Not loading like it used to ? Does
/etc/freepbx.conf
file still exist - check with this command:
$ ls -l /etc/freepbx.conf
- Look for the tell-tale leftover sign of the exploit - this file should not exist on normal systems:
/var/www/html/.clean.sh
So check for it like this:
$ ls -l /var/www/html/.clean.sh
- Check Apache logs for POST requests to
modular.php
- reaching back to at least August 21st. A command like the following should help you quickly look through all the relevant logs on both v16 and v17:
$ zgrep modular.php /var/log/{httpd,apache2}/access*
- Check Asterisk logs for calls to extension 9998 - reaching back to at least August 21st (slight variations in this command may exist between systems):
$ grep 9998 /var/log/asterisk/full*
- Review MariaDB/MySQL logs and tables for MACD of unknown users in the ampusers table - specifically looking for a suspicious ampuser username in the far-left column:
$ mysql -e "SELECT * FROM ampusers" asterisk
If infection is detected in any of 3-7 above, then TAKE A DEEP BREATH and continue on.
Restoration Procedure
Even if you are not infected, it may be a good time to work through these sample restoration procedures to confirm you can recover quickly in the future:
- Preserve existing backups from before the infection - from at least before August 21st - on to separate media from your main backup storage.
- Install a new system with sufficient firewalling and fixed version of endpoint module, then restore the backup to it.
- Rotate all passwords, including but not limited to: system, SIP trunks, users, extensions, voicemail, UCP, etc.
If you do not have recent backups, then mitigation and clean-up â via steps 1, 2, and 10 â may be possible while you continue to provide basic services to your end users, but it is not advisable. EITHER WAY, CLEAN-UP OR RE-INSTALL, CHECK YOUR CALL DETAIL RECORDS AND PHONE BILL WITH YOUR TELCO, ESPECIALLY INTERNATIONAL CALLING!
Also, it may or may not be necessary for you to archive the infected system for future forensic analysis. If this is the case, then you might consider snap-shotting the infected VM, or taking another full running system backup immediately that includes portions of shared memory, process trees, etc. This procedure is outside the scope of the above minimum guidelines.
UPDATE 2025-08-26T16:57:00Z
Users are still advised to restrict public access to the Administrator Control Panel (ACP).
Additionally, there is now EDGE module fix for testing â please note that this has not gone through full normal QA, but we will be doing so ASAP and including as part of normal security release.
FreePBX users on v16 or v17 can run:
$ fwconsole ma downloadinstall endpoint --edge
PBXAct v16 users can run:
$ fwconsole ma downloadinstall endpoint --tag 16.0.88.19
PBXAct v17 users can run:
$ fwconsole ma downloadinstall endpoint --tag 17.0.2.31