It was released almost 12 hours ago. It’s not on its way, it’s here.
I just recognised that endpoint-17.0.3 version since this morning checking our other systems.
It was pushed to the Mirrors in the last couple of hours as we were still seeing .19 at 5:11am canadian time
Canadian Time is how far behind Greenwich Mean Time? Because I’m just outside of Toronto and I installed the update at 9AM Canadian Time since it seems there’s only one time zone in Canada.
OP was updated 2025-08-28T16:46:00Z with information on the published fix to stable repositories, the affected supported versions (15, 16 and 17) as well as security issue identifiers GHSA-m42g-xg4c-5f3h / CVE-2025-57819.
This is what I got when I raised a ticket that shows 5:11am . which was 15:11BST
who know what time zone ticketing is in but who knows what time zone ticketing is in
fwconsole ma listonline --edge shows | endpoint | 16.0.88.17 | Online upgrade available (16.0.88.19) | Commercial | Sangoma |
Wrong repo, the update is in the stable commercial repo. Looking in Edge isn’t going to find it.
its in edge as well as commercial ,
| endpoint | 16.0.89 | Enabled and up to date | Commercial | Sangoma | Just updated 20 servers from edge to 16.0.89 in the last 30 minutes.
not too woried about that , they are all up dated and thanks to Adarsh for sorting teh ‘sticky’ one out
OK this is very frustrating. Sangoma has told everyone its FreePBX 16 and 17 only. Now buried in a comment from you here it magically includes 15 so everyone on 15 systems were not worried and ignoring updates to those system are now having to scramble to update 15 systems.
Can we please get a final clarification is this just 16 and 17 or does it now include 15.
This is generally unhelpful and a bit lazy… You can git blame the lines to find version range. According to this everything from XX.0.1 forward is vulnerable but I assume that is probably not the case. This also prevents people outside of their support contract from rolling back to an unaffected version. I would also not want to assume this lack of information is a marketing move to generate renewals.
The banner should be updated to reflect the vulnerability affects v15
My endpoint maintenance expired 3 days ago and didn’t catch it till now. I purchased through the portal and my activation page on my server shows the correct date in 2026, but the commercial repo still wont allow me to grab the patch. I’ve had this in the past where I have to wait till the next day before updates work. This needs fixed so that batch process runs more frequent, especially for an issue like this.
1 Like
Are backups made after infection actually safe?
That was a 100% accurate statement at the time it was written. During additional quality assurance checks, we discovered that 15 was affected as well. Please refer to the full GitHub Security Advisory which lists the affected supported versions: Authentication Bypass Leading to SQL Injection and RCE · Advisory · FreePBX/security-reporting · GitHub
There is a big difference between “100% accurate at the time” and “100% what we thought at the time.”
It turns out it was 100% wrong both then and now. 15 was always affected. You just didn’t know it back then.
2 Likes
Hello,
I have worked with this environment for 10+ years, starting with TrixBox, and having customers in the 16 / 17 family. I believe that this is the second “megastorm” that I have experienced with the FreePBX platform. In those many years, that is a remarkable security story.
What I am really struggling with is that I had to find out about the problem through a 3rd party newsletter - Sangoma has my email address in the registrations, email in the portal, email with SIPSTATION. I checked my spam folder - nope.
Is there an email list out there for these types of large events? I do not check the forums daily - FreePBX is a small part of our business and I have 3 customers. Did I miss the opportunity to register for an announcement list?
When one installs FreePBX, we have several ads for physical phones, SIPSTATION, being a reseller… several clicks to get through the registration.
How about an area to register for system announcements, and when the storm comes, to announce? I don’t need a deep explination… hey buddy, head over to the forums and read the notice.
If I missed the signup, please relay to me.
Christian
1 Like
Many, many emails were sent – not sure why your address got missed. Please check any quarantine services you might have and open a support ticket to help resolve this specific issue.
Hi @cyberdocwi I’d be happy to check your email address against the list to make sure you’re subscribed- here to help.