Luca Galuppi : 28 August 2025 13:39
The world of VoIP telephony has once again ended up in the crosshairs of cybercriminals. This time it’s FreePBX, the open-source platform built on Asterisk and widely used by companies, call centers, and service providers.
The Sangoma FreePBX Security Team has raised the alarm: a zero-day vulnerability is affecting systems that expose the Administrator Control Panel (ACP) to the network. And this isn’t a theoretical threat: the exploit has already been actively exploited for days, with serious consequences for those who haven’t taken adequate countermeasures.
According to initial reports, the exploit allows attackers to execute any command with Asterisk user privileges. In other words, complete control of the PBX and the ability to manipulate configurations, divert calls, compromise SIP trunks, and even generate unauthorized international traffic.
A FreePBX forum user stated:
“We have seen multiple compromises within our infrastructure, with approximately 3,000 SIP extensions and 500 trunks impacted.”
This is not an isolated case: other administrators, even on Reddit, have confirmed suffering the same fate.
Sangoma has not disclosed the technical details of the vulnerability, but the community has shared a series of signals to look for on their systems:
/etc/freepbx.conf file is missing or modified./var/www/html/.clean.sh script, loaded by the attackers, is present.modular.php.ampusers table of the MariaDB/MySQL database, resulting in the appearance of a suspicious user ampuser.Anyone who encounters even one of these IoCs should consider their system already compromised.
The Sangoma FreePBX Security Team has released an EDGE fix to protect new installations, pending the official patch expected soon. However, the fix does not fix already infected systems.
Commands to install the EDGE fix:
FreePBX v16/v17:
fwconsole but downloadinstall endpoint --edge
PBXAct v16:
fwconsole ma downloadinstall endpoint --tag 16.0.88.19
PBXAct v17:
fwconsole ma downloadinstall endpoint --tag 17.0.2.31
There is a significant problem, however: those with an expired support contract risk not being able to download the update, thus leaving their PBX exposed and without defenses.
Administrators who are unable to apply the fix should immediately block access to the ACP from the internet, limiting it to trusted hosts only.
In the event of a compromise, Sangoma’s instructions are clear:
Exposing admin panels to the internet is a critical risk that should never be underestimated. The FreePBX case demonstrates how a zero-day vulnerability, combined with careless configuration, can quickly turn into a large-scale compromise.
It’s essential to adopt a proactive approach: restrict access to ACPs only from trusted hosts, constantly monitor indicators of compromise, and keep modules and components updated. Only in this way can we reduce the impact of threats that, like in this case, can strike without warning and with significant consequences for business continuity and the security of corporate communications.
Luca Galuppi