On the afternoon of December 21, 2021 Sangoma received a report of malicious activity in progress on a fully up to date FreePBX 15 system. Technical details followed very quickly, and engineering was able to act within minutes of the report. Investigation revealed that the vulnerability to be in the FreePBX and PBXact Phone Apps (restapps) module, in published versions 16.0.18.40, 16.0.18.41, 15.0.19.87 and 15.0.19.88. Other major FreePBX or PBXact versions are not affected. The affected module versions were initially published on or about December 11, 2021.
As of this writing, the issue is resolved in Phone Apps (restapps) module versions 16.0.19 and 15.0.20, published early on December 22. They are flagged as a security update, so you will see dashboard notifications after the next update sync, and email notifications if so configured. All are encouraged to update immediately.
Engineering was able to act swiftly in this case due to the very detailed initial report from @billsimon and the follow up participation by @tm1000. On behalf of the entire FreePBX community, we thank Bill and Andrew for their immediate action in reporting and investigating this issue.
The record of this incident is in this wiki page which will be updated as additional details emerge.