Further note, although the exploit is breaking some systems (PHP Fatal error: Uncaught Error: Class "Symfony\Component\Console\Application" not found in /var/www/html/admin/libraries/FWApplication.class.php:11 Stack trace: #0 /var/lib/asterisk/bin/fwconsole(66): include() #1 {main} thrown in /var/www/html/admin/ - #41 by gregarican), in some cases it is succeeding without any obvious effects.
I found evidence of the exploit on a FreePBX 17 test system that was otherwise working fine.
The most telling evidence is the presence of the file .clean.sh in /var/www/html. It looks as though the script is supposed to delete itself when done, but it does not.