FreePBX Servers under active zero-day attack
Take action: If you run FreePBX with the Endpoint Manager module, this is urgent! Immediately apply the emergency patches using the provided fwconsole commands and check for the compromise indicators. If you can't patch right away, restrict Administrator Control Panel access from the internet and to trusted IPs only. If you find any signs of compromise, isolate the system immediately and restore from backups prior to August 21, 2025.
Learn More
The Sangoma FreePBX Security Team has issued an urgent security advisory warning about a zero-day vulnerability being exploited against FreePBX systems.
This vulnerability affects the commercial Endpoint Manager module in FreePBX Community Edition (CE) and Enterprise Edition (EE), allowing attackers to achieve privilege escalation and remote code execution on systems where the Administrator Control Panel (ACP) is exposed to the internet.
The vulnerability, has not yet been assigned a formal CVE identifier. The exploit targets FreePBX servers running versions 16 and 17 when the Endpoint Manager module is installed and the administrator control panel is accessible via ports 80 or 443. Exploitation allows threat actors to execute arbitrary commands with Asterisk user privileges, effectively granting complete control over the PBX system.
Active exploitation has been documented since August 21, 2025. The first public warning issued by Sangoma on August 26, 2025.
According to user reports on the FreePBX community forums, at least one organization has suffered a breach affecting approximately 3,000 SIP extensions and 500 trunks. Multiple other administrators have confirmed compromises of their systems through various community channels, including Reddit.
The exact number of affected organizations and the total value of compromised systems or stolen data has not been disclosed by Sangoma.
Sangoma has released emergency EDGE module fixes and provided specific update commands for immediate deployment.
reePBX users on version 16 can run fwconsole ma downloadinstall endpoint --tag 16.0.88.19, while version 17 administrators should execute fwconsole ma downloadinstall endpoint --tag 17.0.2.31.
These fixes only protect against future infections and do not fix already compromised systems. Users with expired support contracts may be unable to install the emergency updates, leaving their systems vulnerable until the general security release becomes available.
Indicators of Compromise include:
- Missing or modified /etc/freepbx.conf configuration file
- Presence of /var/www/html/.clean.sh shell script uploaded by attackers
- Suspicious Apache log entries targeting modular.php
- Unusual calls to extension 9998 in Asterisk logs dating back to August 21
- Unauthorized entries in the ampusers table of MariaDB/MySQL database, specifically suspicious "ampuser" usernames
For organizations that have identified any of these indicators, Sangoma strongly recommends treating the system, isolating the system and restoring systems from backups created prior to August 21, 2025, deploying patched modules on clean environments, rotating all system and SIP-related credentials, and reviewing call detail records and billing statements for signs of fraudulent activity.
Administrators who cannot immediately upgrade should use firewall rules or the FreePBX Firewall module to restrict access to the Administrator Control Panel, and make it accessible only from trusted IP addresses.
