TT-CSIRT – 450.29.08.25 – FreePBX Vulnerability

TT-CSIRT – 450.29.08.25 – FreePBX Vulnerability

Please be advised, A critical vulnerability has been discovered in the FreePBX Endpoint module, affecting versions 15, 16, and 17. The vulnerability arises from improper sanitization of user-supplied data, which can be exploited by unauthenticated attackers to gain unauthorized access to the FreePBX Administrator Control Panel. Successful exploitation can result in arbitrary database manipulation and remote code execution.

Detection Method:

1. Check for broken FreePBX Administrator web interface:

  • If the FreePBX Administrator web interface is broken or not loading properly, check for the existence of the file /etc/freepbx.conf using the command: $ ls -l /etc/freepbx.conf

2. Check for an exploit-related file:

  • The file /var/www/html/.clean.sh should not exist on a normal system. Check for its presence with the following command: $ ls -l /var/www/html/.clean.sh

3. Review Apache logs for suspicious activity:

  • Search for POST requests to modular.php in your Apache logs, dating back to at least August 21st, using the command: $ zgrep modular.php /var/log/{httpd,apache2}/access*

4. Review Asterisk logs for suspicious calls:

  • Check for calls to extension 9998 in your Asterisk logs, dating back to at least August 21st, using the command: $ grep 9998 /var/log/asterisk/full*

5. Review MariaDB/MySQL logs and tables for unauthorized users:

  • Examine the ampusers table for suspicious or unknown users with the following command: $ mysql -e "SELECT * FROM ampusers" asterisk

Immediate Actions:

  1. Determine internet exposure:
    Assess if your FreePBX/PBXAct system is accessible from the public internet.
  2. Activate and configure the FreePBX Firewall:
    Configure the FreePBX Firewall module to restrict access to the Web Management interfaces.
    Lock down access to only your IP address and other known trusted hosts.
    Disallow all access from the Internet/External zone to the Web Management interfaces.
  3. Upgrade the Endpoint module:
    Immediately upgrade the FreePBX Endpoint module to the latest available version.
    The patched versions are 15.0.66, 16.0.89, and 17.0.3.
    Confirm the update via the Admin -> Module Admin menu.
    Note: If the update fails, you may need to renew your commercial module licenses via the Sangoma Portal and try again.

If “endpoint” is NOT installed, then your system is probably NOT at risk of infection

References

https://www.cve.org/CVERecord?id=CVE-2025-57819https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203

Quick Navigation

Partner Agencies

Subscribe to Stay Updated!

Subscribe

Follow on social media:

Facebook-f X-twitter Linkedin-in Instagram