Sangoma Issues Warning: Zero-Day Vulnerability Actively Exploited in FreePBX

Sangoma has issued an urgent alert regarding an actively exploited zero-day vulnerability in FreePBX installations where the Administrator Control Panel (ACP) is exposed to the internet. FreePBX, an open-source IP-PBX built on Asterisk, is widely used by enterprises, call centers, and service providers to manage internal communications, SIP trunks, and call routing.

According to the FreePBX security team, attacks began on August 21. The versions most at risk are 16 and 17, provided two conditions are met: the Endpoint module is installed and the administrator login page is accessible externally. The vendor urges administrators to immediately restrict ACP access, at minimum by using the Firewall module to allow connections only from trusted addresses.

Sangoma has released an “EDGE” test fix for the module, with a standard security release promised “shortly” (initially within 36 hours). Crucially, this rapid patch protects future deployments but does not remediate already compromised hosts. Some users have reported that expired support contracts prevent them from installing the EDGE update; such systems are advised to disable external ACP access until the full patch is available.

Installation of the test patch

• FreePBX 16/17:
  fwconsole ma downloadinstall endpoint --edge
• PBXAct 16:
  fwconsole ma downloadinstall endpoint --tag 16.0.88.19
• PBXAct 17:
  fwconsole ma downloadinstall endpoint --tag 17.0.2.31

Following the advisory, the FreePBX forum quickly filled with reports of successful intrusions. One customer reported the compromise of multiple servers, affecting over 3,000 SIP extensions and 500 trunks; administrator access was temporarily blocked, and systems were rolled back to a pre-attack state. Other administrators confirmed that attackers were exploiting the flaw to execute arbitrary commands with asterisk user privileges.

Although Sangoma has not disclosed the technical details, the vendor and affected administrators have compiled a set of indicators of compromise (IoCs):

• Missing or altered configuration file /etc/freepbx.conf
• Presence of a suspicious shell script /var/www/html/.clean.sh (believed to be attacker-deployed)
• Suspicious Apache log entries referencing modular.php
• Unusual Asterisk logs showing calls to extension 9998 since August 21
• Unauthorized entries in the ampusers table of MariaDB/MySQL, including a suspicious account named ampuser in the leftmost column

Recommended actions if compromise is suspected

• Restore the system from a backup dated prior to August 21
• Rebuild the environment from scratch and immediately install patched modules
• Rotate all passwords and keys: system accounts, database credentials, and SIP logins/secrets
• Audit CDR and billing records for abuse, particularly international traffic
• Block external ACP access until the final patch is released (via firewall, VPN, or allow-list)

If the FreePBX administrator interface was publicly accessible, assume worst-case compromise: installations may already have been infiltrated and must be promptly investigated and isolated. Sangoma has pledged a comprehensive security update for all affected builds; until then, it is critical to minimize the attack surface and enforce strict hygiene measures — hardened firewall rules, disabling unused modules, and vigilant monitoring of logs and network activity.