As part of Sangoma’s commitment to security and responsible stewardship of the FreePBX open source project, please be advised that there were two new security patches released 2025-09-15T07:40:00Z for the “framework” module. The “framework” module is an integral component of all FreePBX systems. Systems administrators should immediately update “framework” to apply these security fixes, or at a minimum, lock down their Administrator Control Panel to unauthorized connections and confirm their automated security updates are proceeding as expected according to their custom local schedule.
One of the patched issues is an Unauthenticated Denial Of Service (GHSA-frc2-jhgg-rwpr /CVE-2025-59056) that could result in modules being uninstalled from supported versions of FreePBX 15, 16 or 17 when the Administrator Control Panel is exposed to hostile networks such as the public internet.
More Details
Please review and inspect your system for details on Indicators of Compromise as published in the GitHub Security Advisories for the FreePBX project – kindly also note the recent fixes for several unrelated post-Authenticated vulnerabilities:
As always, helpful Sangoma Support team members are available 24x7 to assist customers privately on specific FreePBX and PBXact installation issues via help.sangoma.com
Been a long day, so if I’m getting this wrong apologies. The CVE was posted a day before the fix correct? But its been an issue for a few months, since May. Is there any where else this would have been acknowledged before a day before?
Also can’t official partners get this info before the fix and its put on a CVE?
You are saying it affects all versions which probably isn’t the case. FreePBX has been under version control for over a decade. You can run a git blame and find out how old the code is. Also if this reaches back to EOL versions. you don’t have to patch those mind you but people should be made aware.
LET ME DO THE WORK… > 17.0.9.11 to <17.0.21
You may wish to review 15 and16 there is no language patch in 15 or 16 so have QA review. It looks like those were fixed for a different cve
There were two CVEs addressed on September 15th – both in the “framework” module. The fixed “framework” modules started shipping from the FreePBX mirrors at appx. 2025-09-15T07:40:00Z. The CVEs were publicly published on GitHub about 12 hours later.
The Unauthenticated denial of service issue in “framework” GHSA-frc2-jhgg-rwpr CVE-2025-59056 – previously linked in OP – was opened last week. This affected all previous releases of all three supported versions of FreePBX: 15, 16 and 17. As previously mentioned in the advisory on GitHub, the issue is likely eleven years old (or more) owing to this line of code (also linked in the “History” section of the GHSA):
this is an interesting idea, thank you – one might consider further research into an unrelated project where this is being discussed & changed a lot recently e.g. Android Open Source Project (AOSP) and their Android Security Bulletins (ASB) pivot over the past few months to focus on high-risk issues for advance notification to vendors.
Well the core is disabled in 100’s of PBXs and some modules rely on that. So some heads up other than a day or two would have been nice. You have a list of partners, you email sales info all the time. Perhaps create an alert of reported and known issues. Update us, give us some notification so we can prepare for this sort of change.
If Sheduler and Alerts is set to weekly, you’re only going to get email alerts once a week and on the specified day. Perhaps an idea is to be able to set daily alerts, even if you only want the modules themselves automatically updating weekly. There’s a chance someone doesn’t know about a vulnerability and its available patch for up to 7 days otherwise.
this is an interesting idea, thank you – one might consider further research into an unrelated project where this is being discussed & changed a lot recently e.g. Android Open Source Project (AOSP) and their Android Security Bulletins (ASB) pivot over the past few months to focus on high-risk issues for advance notification to vendors.