Sangoma has released emergency patches for a zero-day vulnerability exploited to hack FreePBX servers with the administrator control panel accessible from the internet.
Tracked as CVE-2025-57819 (CVSS score of 10/10), the bug is described as an insufficient sanitization of user-supplied data. Successful exploitation of the flaw allows attackers to access the FreePBX administrator panel, enabling database manipulation and remote code execution (RCE).
Fixes were rolled out for FreePBX versions 15, 16, and 17, after Sangoma discovered that the security defect had been exploited in the wild starting on or before August 21. The hacked servers had inadequate IP filtering/ACLs, as noted in a GitHub advisory.
“This initial entry point was then chained with several other steps to ultimately gain potentially root level access on the target systems,” the advisory reads.
The issue was discovered in the commercial “endpoint” module. Users are advised to lock down all administrator access, remote internet access to the FreePBX servers, ensure the servers are protected by a firewall, update to a patched version, and check that the “endpoint” has the recommended fixes.
“Users should check their automated security updates are active. We are aware of a current issue in the v17 “framework” module that may prevent automated update notification emails,” Sangoma notes.
Sangoma has released indicators-of-compromise (IOCs) to help administrators hunt for signs of exploitation, as well as recommended restoration steps.
On Friday, the US cybersecurity agency CISA added CVE-2025-57819 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by September 19, as mandated by Binding Operational Directive (BOD) 22-01.
Although BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV list and take the necessary steps to mitigate the security defects it identifies.
Sangoma FreePBX is an open source interface for the management of Asterisk, a framework for real-time, multi-protocol communications applications.
Related: WhatsApp Zero-Day Exploited in Attacks Targeting Apple Users
Related: Citrix Patches Exploited NetScaler Zero-Day
Related: Organizations Warned of Exploited Git Vulnerability
Related:Hundreds of N-able N-central Instances Affected by Exploited Vulnerabilities
