Tech News

FreePBX servers hacked via zero-day, emergency fix released

By admin 5 Min Read

The Sangoma FreePBX Security Team is warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with the Administrator Control Panel (ACP) is exposed to the internet.

FreePBX is an open-source PBX (Private Branch Exchange) platform built on top of Asterisk, widely used by businesses, call centers, and service providers to manage voice communications, extensions, SIP trunks, and call routing.

In an advisory posted to the FreePBX forums, the Sangoma FreePBX Security Team warned that since August 21, hackers have been exploiting a zero-day vulnerability in exposed FreePBX administrator control panels.

“​The Sangoma FreePBX Security Team is aware of a potential exploit affecting some systems with the administrator control panel exposed to the public internet, and we are working on a fix, with expected deployment within the next 36 hours,” reads the forum post.

“Users are advised to limit access to the FreePBX Administrator by using the Firewall module to limit access to only known trusted hosts.”

The team has released an EDGE module fix for testing, with a standard security release scheduled for later today.

“The EDGE module fix provided should protect future installations from infection, but it is not a cure for existing systems,” warned Sangoma’s Chris Maj.

“Existing 16 and 17 systems may have been impacted, if they a) had the endpoint module installed and b) their FreePBX Administrator login page was directly exposed to a hostile network e.g. the public internet.”

Admins wishing to test the EDGE release can install it using the following commands:

FreePBX users on v16 or v17 can run:

$ fwconsole ma downloadinstall endpoint --edge

PBXAct v16 users can run:

$ fwconsole ma downloadinstall endpoint --tag 16.0.88.19

PBXAct v17 users can run:

$ fwconsole ma downloadinstall endpoint --tag 17.0.2.31

However, some users have warned that if you now have an expired support contract, you may not be able install the EDGE update, leaving your device unprotected.

If you are unable to install the EDGE module, you should block access to your ACP until the full security update is released tonight.

Flaw actively exploited to breach servers

Since Sangoma published the advisory, numerous FreePBX customers have come forward stating that their servers had been breached through this exploit.

“We are reporting that multiple servers in our infrastructure were compromised, affecting approximately 3,000 SIP extensions and 500 trunks,” a customer posted to the forums.

“As part of our incident response, we have locked all administrator access and restored our systems to a pre-attack state. However, we must emphasize the critical importance of determining the scope of the compromise.”

“Yep my personal PBX was affected as well as one I help manage. The exploit basically allows the attacker to run any command that the asterisk user is allowed to,” another user posted to Reddit.

While Sangoma has not shared any details regarding the exploited vulnerability, the company and its customers have shared indicators of compromise that can be checked to determine if a server has been exploited.

These IOCs include:

  • Missing or modified /etc/freepbx.conf configuration file.
  • The presence of /var/www/html/.clean.sh shell script. This is believed to have been uploaded by the attackers.
  • Suspicious Apache log entries for modular.php.
  • Unusual calls to extension 9998 in Asterisk logs as far back as August 21.
  • Unauthorized entries in the ampusers table of MariaDB/MySQL,  specifically looking for a suspicious “ampuser” username in the far-left column.

If it is determined that a server is compromised, Sangoma recommends restoring from backups created prior to August 21, deploying the patched modules on fresh systems, and rotating all system and SIP-related credentials.

Administrators should also review call records and phone bills for signs of abuse, especially unauthorized international traffic.

Those with exposed FreePBX ACP interfaces may already be compromised, and the company urges administrators to investigate their installations and secure systems until a fix can be applied.

Picus Blue Report 2025

46% of environments had passwords cracked, nearly doubling from 25% last year.

Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.

You Might Also Like

Apple AI Pin Specs Leak: Dual Cameras, No Screen & More

The diverse responsibilities of a principal software engineer

OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters

Google’s Fitbit Tease has me More Excited for Garmin’s Whoop Rival

Why the TCL NXTPAPER 14 Is One of the Best Tablets for Musicians and Sheet Music Reading

TAGGED: , , , , ,
Share This Article
Previous Article Englewood-based EchoStar gives up wireless network independence for enough cash to survive
Next Article Storm-0501 Exploits Entra ID to Exfiltrate and Delete Azure Data in Hybrid Cloud Attacks
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

- Advertisement -

Latest News

JPMorgan CEO Jamie Dimon says he’s ‘learned and relearned’ to not make big decisions when he’s tired on Fridays
Business
Apple AI Pin Specs Leak: Dual Cameras, No Screen & More
Tech News
A ‘glass-like’ battlefield: German Army chief on the future of warfare
World News
Polymarket Sees Record $153M Daily Volume After Chainlink Integration
Crypto
Natasha Lyonne Then & Now: See Before & After Photos of the Actress Here
Celebrity
Cult Hit Doki Doki Literature Club Fights Removal From Google Play Store Over ‘Depiction Of Sensitive Themes’
Gaming News
Dead as Disco Launches Into Early Access on May 5th, Groovy New Gameplay Released
Gaming News
Lost your password?