15 is not affected, only 16 and 17
Thanks Sergio for the clarification. Does that include versions <15 as well?
Is there a lower 16/17 version that is in effected?
Well this is an interesting data point. It means that most likely one of the following happened:
-
The RCE code was introduced within the last 4 years. Which would be interesting since all recent RCEās have been related to way older code.
-
The RCE code exists in older versions but may not be exposed as easily or at all in PHP5.x but moving to PHP7.x and higher exposes the RCE. There were big changes in how PHP handle things between PHP5.x and PHP7.x including serialization. Those changes could have exposed the RCE or a path to the RCE if they were not accounted for.
We really wonāt know until there is more details provided by Sangoma about this RCE and what caused it. However, I wouldnāt go around feeling safe just because youāre on an older version of FreePBX. Donāt confuse an accident of environment as secure code.
Either way, it really doesnāt matter if it was option 1 or option 2 this goes back to the same conversation we always end up inā¦the QA/QC of this project.
OP was updated 2025-08-27T16:42:00Z to help answer questions and provide additional suggested generalized minimum steps. Users with more specific requests for assistance that wish for details to remain outside of the public community forums are encouraged to open Support Tickets via help.sangoma.com
In my opinion, the bulletin that there is a security issue should stay up at a minimum until Sangoma releases the fix
Rootkits are usually very hard to remove, In the future, you might consider installing rkhunter or chkrootkit (or both 
) before connecting to the internet.They are good fror damage contol and possible mitigation.
Did you get round this ? we have the same on a server that does have commercial endpoint licence
Great. Iām infected. I have zero backups. fwconsole and the web interface is broken so I canāt make any backups. I donāt want to let my PBX VM touch the internet again. What do I do?
Fix the web interface by fixing /etc/freepbx.conf, make a backup and restore it on new server.
Not for years and this deployment has had the licence removed so Iām back on the āfreeā version for Sangoma devices. Iāve been able to upgrade to updated modules without problems and Iām using only D65s so donāt need a licence. I can see other modules have available updates but this particular one isnāt showing up as an update and doesnāt exist on the server.
I was able to download the updated module by changing to ClearlyIPs mirror so I think thereās a FreePBX mirror server somewhere that hasnāt updated.
How complicated was your system? If it was simple enough itās probably easiest and safest to just rebuild.
sadly i do have one system affected.. Restored from last backup a month ago..
Is someone knows best (almost best) Fail2Ban setup which is ? pls ? Default setups is enough or needs to increase some numbers on it?
Thank you.
Not sure if fail2ban can cover this. F2B checks your logs for auth errors and so on ā¦ if the attack vector does not cause a suspicious entry in the logs which triggers F2B, Iād not rely on that.
I have locked all my FreePBX to my List of āFriendly hostsā in my pfSense (Access through HAProxy). So either Iām at a place with a trusted fixed IP, or I need to activate my VPN. Same for UCP and FOP2.
If you run your FreePBX directly at a public IP, the firewall zones are your friend doing the same.
Why open more access and attack vectors than really needed 
Just relying on F2B or any other IDS is not enough in my opinion. These are good for SIP attacks (which are gone by 99% after I only use SIPS/TLS and have restricted to have only port 5061 TCP exposed.
@penguinpbx Is the edge update for Endpoint the official fix for this, or should we be expecting some more communication? We are approaching 48 hours
There was more communication yesterday, the OP was updated to reflect that. Thereās a new version in the stable commercial repo as of last night. A higher version than the fix you could get from the Edge repo.
endpoint | 17.0.2.31 | Online upgrade available (17.0.3) | Commercial | Sangoma
