Critical FreePBX Flaw Under Attack: Is Your Phone System Compromised?
A critical vulnerability has been uncovered—and almost immediately weaponized—in the IP telephony ecosystem through FreePBX. Signs of widespread compromise were first reported on August 21, 2025, when administrators began noticing identical symptoms and suspicious traces across their systems. Researchers at watchTowr Labs have since confirmed that the flaw enables unauthenticated remote exploitation via the commercial Endpoint module, triggered by a weakness in the framework’s class autoloader.
The vulnerability has been assigned CVE-2025-57819. FreePBX, a web interface for Asterisk used by everyone from home enthusiasts to service providers and enterprise deployments, exposes not just administrative panels but also access to calls, voicemail, and recorded conversations.
The first alarms sounded on August 25, when administrators saw mass interface crashes tied to a missing Symfony class error in PHP. The following day, one administrator reported the sudden appearance of a file named clean.sh. This script traversed “/var/log/*”, selectively wiping entries that referenced web shells or service names, before deleting itself—a textbook indicator of post-exploitation activity designed to erase evidence and complicate forensic analysis.
To validate the exploit path, watchTowr deployed a fully monitored FreePBX honeypot, comparing system behavior before and after patches. They determined that the vulnerable entry point resides in the Endpoint module, with exploitation hinging on the admin/ajax.php routing chain and the autoloader mechanism. FreePBX’s source code calls class_exists on the “module” parameter; under PHP’s standard autoloading, this hands control to the custom fpbx_framework_autoloader.
By submitting a crafted module string such as FreePBX\modules\endpoint\ajax, the autoloader assembles the path /admin/modules/endpoint/ajax.php and includes the file—crucially, before session validation occurs. This allows module code execution without login. Within Endpoint itself, a validation flaw permits SQL injection through the AJAX handler, enabling direct manipulation of the FreePBX database.
In practice, attackers first created a hidden administrator account, ampuser. Honeypot captures confirmed injected INSERT operations into the ampusers table via the “brand” parameter. To escalate from database access to code execution, attackers then inserted entries into the cron_jobs table with a schedule of “* * * * *” and payloads in the “command” field, causing malicious code to run every minute under FreePBX’s own utilities. watchTowr replicated this chain in the lab and released detection artifacts capable of identifying traces—such as injected cron jobs or new administrative accounts.
FreePBX developers responded quickly, advising administrators to restrict access to the management interface via IP whitelisting or firewalls and to apply out-of-band Endpoint module updates. For FreePBX 16/17, the patch is available via fwconsole ma downloadinstall endpoint –edge; for PBXAct 16, use –tag 16.0.88.19; for PBXAct 17, use –tag 17.0.2.31.
Incident notes reveal that since August 21, 2025, attackers have targeted unfiltered, internet-exposed FreePBX versions 16 and 17. Once initial access is achieved, the exploit chain can grant privileges up to root. watchTowr cautions, however, that while the Endpoint patch resolves the SQL injection, the deeper autoloading flaw remains: pre-authentication inclusion of arbitrary “.php” files under /admin/modules continues to present an exploitable path.
The FreePBX team also acknowledged a related issue disclosed earlier this year—post-authentication command injection tracked as CVE-2025-55211—whose publication was delayed beyond the standard disclosure window. Taken together, these findings paint a troubling picture: commercial modules locked behind ionCube encryption, fragile routing combined with exploitable autoloading, and attackers quickly converting panel access into telephony surveillance and persistent footholds. Similar patterns of critical vulnerabilities have emerged across other enterprise systems.
For defenders, fundamental measures remain critical: segment and filter access to administrative panels, promptly apply module patches, monitor the integrity of /admin/modules directories, audit databases for suspicious entries in ampusers or cron_jobs, and search logs for traces of .clean.sh. Modern attack campaigns demonstrate that adversaries are increasingly adept at bypassing defenses, making vigilance and layered security indispensable.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
