What if we were to remove those users? Did you find any other alterations?
At the point I could no longer log in to my server I could see from cloud console that cpu was 100%. Thus, at the very least, on my test machine, the attacker changed root login and launched a process that consumed all CPU. The payload of the exploit provides a root-level shell. So they can do whatever they want.
1 Like
Assuming you have console access you can change the root password. I am assuming they can no longer regain root access after you do that and update endpoint.
I do find the fact that they can gain root access through a module a bit disturbing and would like to know how that was done. Also more proof that that signature system, which was supposed to help detect and prevent things like this, is not of much use.
1 Like
Well.
Something is it planned to update fwconsole validate checking if the system is clean or not?
This cmd line is used to check the system and launch some tests verifying if the system is ok or not.
I know in some cases, this tool can be messed up.
You could imagine to include a test for this issue. Just an idea like that…
1 Like
Could it be an open patch to Validate.class.php ?
What do you mean?
Ho, I think phar code is not opened.
validate.phar.gz dowloaded from Sangoma servers.
I don’t remember correctly how it works exactly.
I think validate.phar.gz is downloaded and exectuded with validate.phar. but it is not stored on the FreePBX system anyway.
When I worked on it, I downloaded this one locally and I lauched some test locally.
Next there is a process to generate a phar file If I remember correctly.
Was the resolved after the day’s wait again?
I am in a similar boat.
@curtisg please DM your deployment ID - I can update this for you.
1 Like
Thanks Michael, I waited long enough, the updates show.
@curtisg Okay - please feel free to call in to our group and/or to also reach out to your partner rep @tmilbrand. We can push these through.
Here’s a little light reading on this whole RCE issue:
1 Like
Good!
A test could be included with Validate . Just to detect if a such attack is real.
No, it is not good. This issue should have been reported responsibly through the FreePBX security-tracker repository on GitHub.
Also, the excerpts from a separate unrelated issue that raise some points related to severity scoring were coincidentally discussed at length in yesterday’s blog post.
1 Like
Yes, it’s good to know anway.
What about this part of the article?
We reported a Post-Authenticated Command Injection vulnerability (CVE-2025-55211) to FreePBX in May 2025. Despite cruising past our 90-day disclosure window, it still hasn’t been published.
No one at Sangoma got the report?
That is the separate unrelated issue that we received and have been working on with the reporter/writer in accordance with our security policy as published in the repo for this purpose. Would you like to fork the topic to discuss it further ?
I’ve noticed a mismatch between the GUI security advisory and the versions available in the repositories for Endpoint Manager.
- In the FreePBX GUI I see information that vulnerability GHSA-m42g-xg4c-5f3h is fixed starting from version 17.0.3.
- However, in the stable repository I can only see 17.0.2.8.
- I was able to download 17.0.2.9 only from the edge track.
- After updating to 17.0.2.9, I received an automatic email notification:
endpoint has been automatically upgraded to fix security issues:
GHSA-m42g-xg4c-5f3h
Also, when running fwconsole ma listonline I can see:
upgrade endpoint due to security vulnerability GHSA-m42g-xg4c-5f3h...Done!
Could you please clarify whether version 17.0.2.9 (edge) already includes the fix, or if 17.0.3 should be released in the stable repo? Right now the GUI still shows that the fix requires 17.0.3, but it looks like the system considers the issue resolved after upgrading to 17.0.2.9.
Thanks in advance!