CISA on August 29, 2025, added a critical vulnerability in Sangoma’s FreePBX telephony platform to its Known Exploited Vulnerabilities (KEV) Catalog, warning that attackers have been exploiting the flaw in the wild since at least August 21 to gain remote code execution on internet‑facing systems. The move (CVE‑2025‑57819) triggers Binding Operational Directive 22‑01, requiring all Federal Civilian Executive Branch agencies to remediate the issue within an accelerated timeline, and sends a blunt signal to private sector operators that lagging on this patch is unacceptable.
A Perfect Chain: Auth Bypass to SQL Injection to RCE
The vulnerability resides in the commercial endpoint module used by FreePBX versions 15, 16, and 17. Sangoma’s GitHub security advisory describes a chain that begins with insufficient input validation on an endpoint‑managed path, which allows unauthenticated attackers to slip into the Administrator Control Panel (ACP). From there, they can manipulate database records through SQL injection, and ultimately escalate to operating‑system command execution under the asterisk user. The CVSS v4 base score is 10.0 — maximum severity — reflecting complete compromise of confidentiality, integrity, and availability with zero required privileges, no user interaction, and a network attack vector.
“The issue is rooted in a validation/sanitization error in the endpoint module,” the advisory states, “which lets unauthenticated requests access ACP functionality, then chain with subsequent operations to alter database state and execute OS commands.” In practical terms, any FreePBX installation with its ACP reachable from the internet is a prime target.
Who Is at Risk
Any organization running FreePBX or Sangoma’s PBXAct appliances with the vulnerable endpoint module is affected. The vulnerable products cover:
- FreePBX 15 with endpoint module version prior to 15.0.66
- FreePBX 16 with endpoint module version prior to 16.0.89
- FreePBX 17 with endpoint module version prior to 17.0.3
Hosted PBX providers, call centers, managed service providers, and small businesses that expose the ACP for remote management are particularly exposed. In many cases, these systems lack strict IP allowlisting or VPN enclaving, leaving the admin panel accessible to any scanner that finds the web interface on ports 80 or 443.
Exploitation Confirmed: What Incident Responders Are Finding
CISA’s KEV listing is not based on theoretical severity; it cites “evidence of active exploitation.” Independent reporting and Sangoma’s own advisory corroborate intrusions that began on or before August 21, 2025. Multiple forum posts and security bulletins describe real compromises across production servers.
Indicators of Compromise (IOCs) published by Sangoma and echoed by incident responders include:
- Missing or modified
/etc/freepbx.conf - Presence of an unexpected shell script:
/var/www/html/.clean.sh - Suspicious POST requests to
modular.phpin web server logs - Unusual calls to extension 9998 in Asterisk Call Detail Records
- Unauthorized entries in the
ampuserstable of the FreePBX database
If any of these artifacts surface, the system should be treated as fully compromised. Affected organizations have reported administrative takeover, fraudulent call routing, and full appliance rebuilds.
Vendor Response: Patches and Emergency EDGE Builds
Sangoma released official patches on August 28–29, 2025, for all three affected branches. The endorsed endpoint module versions are:
- Endpoint 15 → 15.0.66
- Endpoint 16 → 16.0.89
- Endpoint 17 → 17.0.3
Administrators can apply the updates via the Module Admin GUI or using the command‑line tool:
fwconsole ma upgradeall
To check the currently installed endpoint version:
fwconsole ma list | grep endpoint
Sangoma also made EDGE channel builds available for rapid deployment. However, a patch alone may not suffice for systems already penetrated. Sangoma and multiple incident responders recommend a full rebuild from pre‑August 21 backups if any IOC is detected.
Immediate Mitigation Steps
Organizations that cannot patch immediately should implement network‑level containment as a stopgap:
- Block external access to the ACP at the perimeter — restrict TCP/80 and 443 to trusted management IPs only.
- Enforce VPN access for any administrative tasks, coupled with multi‑factor authentication.
- Increase logging and forward critical logs to a SIEM for real‑time correlation.
A thorough triage checklist should include:
- Inventory all FreePBX and PBXAct instances and note ACP exposure.
- Apply the endpoint module update or lock down network access.
- Scan for the published IOCs.
- If compromise is confirmed, rebuild from clean backups, rotate all SIP credentials, API keys, voicemail PINs, and any credentials that passed through the system.
- Monitor CDRs for anomalous call patterns and report fraud to carriers.
Policy Fallout: Why KEV Changes the Equation
CISA’s KEV designation transforms CVE‑2025‑57819 from a standard patch‑Tuesday item into an operational priority. FCEB agencies must remediate per BOD‑22‑01 timeframes; private‑sector firms are strongly urged to treat it with equal urgency. Security operations centers should bump this CVE to the top of their remediation queues and assume that any internet‑exposed FreePBX ACP is already hostile until proven otherwise.
“KEV entries are a policy instrument,” a CISA spokesperson has said in similar contexts. “When a vulnerability appears on this list, it’s because we have confirmed it is being used in real attacks, and delay can lead to mission impact.”
Additionally, the incident exposes a gap in many organizations’ asset management: telephony appliances often sit outside standard vulnerability scanners and patch‑management workflows. Including VoIP and PBX systems in regular inventories and scanning is now a must.
Ecosystem Strengths and Shortcomings
Strengths:
- Sangoma’s disclosure was swift, with patches and IOCs published within days of observed exploitation.
- CISA’s KEV addition gives defenders a clear, prioritized mandate.
Shortcomings:
- Persistent practice of exposing admin panels to the internet without hard access controls.
- Insufficient asset visibility — many organizations learned they had vulnerable FreePBX instances only after the exploits began.
- Complex recovery: compromised systems require full rebuilds, which are operationally disruptive for service providers.
Looking Ahead
CVE‑2025‑57819 is a textbook example of how a web‑facing management interface can become a lethal entry point. The fix is a simple module update, but the consequences of ignoring it are severe: full system takeover, toll fraud, and data exfiltration. As Sangoma continues to publish post‑mortem data, the global FreePBX install base will need to double down on basic segmentation, monitoring, and credential hygiene. For now, the only safe posture is to patch, hunt, and lock down the ACP as if the attack already reached your doorstep — because in many cases, it already has.