A critical security flaw in FreePBX, one of the world’s most widely used open-source telephony systems, has prompted urgent warnings to administrators and businesses after reports confirmed active exploitation in the wild. The vulnerability, assigned CVE-2025-57819, has received a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System, underscoring the scale of the threat.
A Remote Gateway to Control Panels
FreePBX, maintained by Sangoma Technologies, provides a web-based interface that allows administrators to configure and manage phone systems. The newly disclosed flaw specifically affects its administrator control panels when exposed to the public internet. Security researchers caution that exploitation does not require authentication, meaning attackers could potentially gain full control of affected systems with minimal effort.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
The impact extends beyond unauthorized access. According to the advisory, successful exploitation could enable remote code execution, effectively allowing attackers to run arbitrary commands with privileged access. Such intrusions could result in surveillance of communications, disruption of services, or lateral movement into broader corporate networks.
Indicators of Compromise Emerging
Reports indicate the flaw is already being exploited in active attacks. Administrators are being advised to urgently upgrade to the latest patched versions: 15.0.66, 16.0.89, and 17.0.3, and to restrict external access to administrative panels.
Security teams monitoring the attacks have flagged several indicators of compromise, including unexpected modifications to the “/etc/freepbx.conf” configuration file, the presence of a suspicious “.clean.sh” script in web directories, and unusual POST requests to “modular.php” captured in server logs. Some affected organizations have also reported anomalous phone activity, such as calls to extension 9998 and unauthorized user accounts appearing in the ampusers database.
The widespread use of FreePBX in small and mid-sized enterprises, call centres, and service providers makes the disclosure particularly urgent. With confirmed exploitation underway, security analysts warn that attackers may already be leveraging compromised systems as footholds for broader campaigns.
Administrators are being urged not only to patch immediately but also to review historical logs for signs of compromise. Experts note that once attackers establish persistence, removing them from a compromised telephony infrastructure can prove far more complex than applying an update.