A critical zero-day exploit targeting exposed FreePBX 16 and 17 systems. Threat actors are abusing an unauthenticated privilege escalation vulnerability in the commercial Endpoint Manager module, allowing remote code execution (RCE) when the Administrator Control Panel is reachable from the public internet.
With active compromises detected since August 21, 2025, admins must act immediately to contain the threat.
Key Takeaways
1. Zero-day RCE in FreePBX Endpoint Manager targeting internet-exposed Admin UIs.
2. Immediately block external access and install EDGE/tagged endpoint updates.
3. Check for compromise indicators, isolate/rebuild systems, and restore from pre-August 21 backups.
Firewall Lockdown
FreePBX stated that organizations should first verify whether their FreePBX/PBXAct instance is accessible externally.
If the Administrator Control Panel (ACP) is reachable on ports 80 or 443, block all external traffic at the network perimeter.
Alternatively, employ the FreePBX Firewall module to restrict the Internet/External zone to known trusted hosts only.
After lockdown, confirm local-only access by testing ACP connectivity from an untrusted network (e.g., cellular data).
Next, update the Endpoint module to the provided EDGE builds for testing. FreePBX v16/v17 users can execute:
PBXAct v16 and v17 users should specify stable tags:
A full QA-tested release will follow within 12 hours; perform a standard module update once available via Admin → Module Admin.
Mitigations
To detect potential infection, administrators must perform the following checks:
- Ensure /etc/freepbx.conf still exists.
- Look for the malicious dropper script /var/www/html/.clean.sh
- Scan Apache logs for POST requests to modular.php since August 21.
- Inspect Asterisk logs for calls to extension 9998.
- Query MySQL for suspicious ampusers.
If any indicators are present, isolate the system and plan restoration. Preserve backups older than August 21, deploy a clean FreePBX install with hardened firewall settings, restore data, and rotate all credentials (system, SIP trunks, extensions, voicemail, UCP).
Forensic collection can be automated using the community’s collect_forensics_freepbx.sh script under AGPLv3 to snapshot logs, configuration files, and process states for analysis.
Users running FreePBX versions prior to v16 should remain vigilant; Sangoma continues to investigate the root cause and will publish a CVE once the vulnerability has been fully assessed.
Until then, disabling internet access to ACP and applying the Edge or Stable Endpoint module updates remain the most effective defenses.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
Source link
