The Sangoma FreePBX Security Team disclosed an actively exploited zero-day vulnerability in FreePBX systems with exposed Administrator Control Panels (ACP). Attackers breached servers since August 21, executing arbitrary commands via the Asterisk user privileges. Multiple customers reported compromises, including 3,000 SIP extensions and 500 trunks affected in one case. Indicators of compromise (IOCs) included modified `/etc/freepbx.conf`, malicious shell scripts (`/var/www/html/.clean.sh`), suspicious Apache logs (`modular.php`), unauthorized calls to extension 9998, and rogue entries in the MariaDB/MySQL `ampusers` table.Victims faced unauthorized international call traffic, potential credential theft, and system takeover. Sangoma urged admins to block ACP access, restore from pre-August 21 backups, rotate all SIP/system credentials, and deploy an EDGE module patch (though expired support contracts left some systems unprotected). The flaw’s exploitation led to full server breaches, financial fraud via telephony abuse, and operational disruption for businesses relying on FreePBX for voice communications. The attack vector leveraged exposed administrative interfaces, highlighting critical gaps in default security configurations.
TPRM report: https://www.rankiteo.com/company/sangoma
"id": "san537082825",
"linkid": "sangoma",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple (including 3,000 SIP '
'extensions and 500 trunks in '
'one reported case)',
'industry': 'Telecommunications/VoIP',
'location': 'Global',
'name': 'Sangoma Technologies (FreePBX)',
'type': 'Software vendor'},
{'industry': ['Telecommunications',
'Customer service',
'IT services'],
'location': 'Global',
'name': 'Unnamed FreePBX customers',
'type': ['Businesses',
'Call centers',
'Service providers']}],
'attack_vector': ['Exposed Administrator Control Panel (ACP)',
'Remote code execution (RCE) via modular.php'],
'customer_advisories': ['Limit ACP access to trusted hosts',
'Install EDGE module fix if possible',
'Restore from backups if compromised',
'Monitor for signs of abuse (e.g., unauthorized '
'calls)'],
'data_breach': {'data_exfiltration': 'Likely (evidenced by unauthorized '
'database entries and shell scripts)',
'file_types_exposed': ['/etc/freepbx.conf',
'MariaDB/MySQL ampusers table',
'Apache/Asterisk logs'],
'personally_identifiable_information': 'Potential (if call '
'records included PII)',
'sensitivity_of_data': 'High (voice communications '
'infrastructure)',
'type_of_data_compromised': ['System configurations',
'Call routing data',
'Credentials',
'Potential call metadata']},
'date_detected': '2023-08-21',
'date_publicly_disclosed': '2023-08-21',
'description': 'The Sangoma FreePBX Security Team warned about an actively '
'exploited zero-day vulnerability in FreePBX systems with the '
'Administrator Control Panel (ACP) exposed to the internet. '
'The flaw, exploited since at least August 21, allows '
"attackers to execute arbitrary commands as the 'asterisk' "
'user. Multiple servers were breached, affecting SIP '
'extensions and trunks. Indicators of compromise (IOCs) '
'include modified configuration files, suspicious shell '
'scripts, and unauthorized database entries. Sangoma released '
'an EDGE module fix for testing, with a full security update '
'expected shortly. Admins are advised to restrict ACP access '
'or restore from backups if compromised.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'breached voice systems and exposed '
'customer communications',
'data_compromised': ['SIP extension configurations',
'Trunk configurations',
'Call records',
'System credentials'],
'operational_impact': ['Compromised voice communications',
'Unauthorized call routing',
'Administrator lockouts during response'],
'systems_affected': ['FreePBX v16',
'FreePBX v17',
'PBXAct v16',
'PBXAct v17']},
'initial_access_broker': {'backdoors_established': ['/var/www/html/.clean.sh '
'shell script',
"Unauthorized 'ampuser' "
'in MariaDB/MySQL'],
'entry_point': 'Exposed FreePBX Administrator '
'Control Panel (ACP) via modular.php',
'high_value_targets': ['SIP extensions',
'Trunks',
'Call routing '
'configurations'],
'reconnaissance_period': 'Potentially since before '
'August 21 (earliest IOCs '
'date to August 21)'},
'investigation_status': 'Ongoing (Sangoma working on fix; customers '
'investigating scope of compromise)',
'lessons_learned': ['Exposing administrative interfaces to the internet '
'significantly increases risk',
'Zero-day vulnerabilities in VoIP systems can lead to '
'toll fraud and communications disruption',
'Timely patching and access restrictions are critical for '
'voice infrastructure'],
'motivation': ['Opportunistic exploitation',
'Potential financial gain (e.g., toll fraud via unauthorized '
'calls)'],
'post_incident_analysis': {'corrective_actions': ['Release security patches '
'for FreePBX v16/v17',
'Enhance default access '
'controls for ACP',
'Improve IOC detection '
'documentation'],
'root_causes': ['Exposed administrative interface '
'to the internet',
'Zero-day vulnerability in '
'endpoint module',
'Lack of network segmentation for '
'voice infrastructure']},
'recommendations': ['Restrict FreePBX ACP access to trusted hosts via '
'Firewall module',
'Apply security updates immediately upon release',
'Monitor for IOCs (e.g., modified /etc/freepbx.conf, '
'.clean.sh, extension 9998 calls)',
'Review call records for unauthorized international '
'traffic',
'Rotate credentials after a breach',
'Maintain active support contracts to ensure access to '
'patches'],
'references': [{'date_accessed': '2023-08-21',
'source': 'FreePBX Forum Advisory'},
{'date_accessed': '2023-08-21',
'source': 'Reddit user reports'}],
'response': {'communication_strategy': ['Forum advisory',
'Reddit warnings',
'Direct customer notifications '
'(implied)'],
'containment_measures': ['Locking administrator access',
'Restoring systems to pre-attack state',
'Blocking ACP access for unpatched '
'systems',
'Reviewing call records for abuse'],
'enhanced_monitoring': ['Checking for IOCs (e.g., '
'/var/www/html/.clean.sh, extension 9998 '
'calls)',
'Reviewing Apache/Asterisk logs'],
'incident_response_plan_activated': True,
'network_segmentation': 'Recommended (limiting ACP access to '
'trusted hosts via Firewall module)',
'remediation_measures': ['Applying EDGE module fix (fwconsole '
'commands)',
'Restoring from backups (pre-August 21)',
'Rotating system and SIP credentials',
'Deploying patched modules on fresh '
'systems']},
'stakeholder_advisories': 'Urgent advisory issued via FreePBX forums and '
'Reddit',
'title': 'FreePBX Zero-Day Vulnerability Exploited in Administrator Control '
'Panels',
'type': ['Zero-day exploitation', 'Unauthorized access', 'Command injection'],
'vulnerability_exploited': 'Unspecified zero-day in FreePBX (versions 16 and '
'17 with endpoint module installed)'}