Navigation section

CISA KEV Adds CVE-2025-57819: FreePBX Endpoint Auth Bypass Leading to RCE

  • Thread Author
CISA has added CVE-2025-57819 — an authentication‑bypass and SQL‑injection chain that can lead to remote code execution in Sangoma FreePBX — to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and urging immediate remediation. (cisa.gov)

A tall server tower beside a smaller rack in a blue-lit data center.Background​

FreePBX is a widely deployed open‑source web GUI for managing Asterisk‑based telephony systems. Its ecosystem includes community distributions and Sangoma’s commercial PBXAct appliances; many installations expose administrative connectivity (the Administrator Control Panel, ACP) to the internet for remote management, increasing attack surface. On August 28–29, 2025, Sangoma published an advisory and a GitHub security advisory describing a critical flaw in the commercial endpoint module; CISA followed with an alert adding the corresponding CVE to the KEV Catalog. (github.com, cisa.gov)
The KEV Catalog is a policy instrument created by CISA under Binding Operational Directive (BOD) 22‑01. When CISA lists a CVE on KEV, Federal Civilian Executive Branch (FCEB) agencies must remediate within the specified timeframes; private‑sector operators are strongly urged to follow the same accelerated triage. The presence of CVE‑2025‑57819 on the KEV list changes this from an ordinary patching task to an operational priority for many organizations. (cisa.gov)

What the flaw is — technical overview​

Attack chain and root cause​

  • Vulnerability type: Authentication bypass combined with SQL injection (CWE‑288 and CWE‑89).
  • Where it lives: The issue resides in the commercial endpoint module used by FreePBX versions 15, 16, and 17; insufficient sanitization of user inputs in an endpoint‑managed path lets unauthenticated actors reach administrative functionality, then manipulate database state and escalate to remote command execution. (github.com, cvedetails.com)
The GitHub advisory summarizes the sequence: unauthenticated requests exploit a validation/sanitization error to access ACP functionality; that initial foothold is chained with subsequent operations that allow attackers to alter database records and then execute operating‑system level commands via the asterisk user. The advisory notes exploitation began on or before August 21, 2025 against systems whose ACP was reachable from hostile networks. (github.com)

Severity and scoring​

  • CVSS v4 base score (GitHub/CVE aggregators): 10.0 — Critical. The advisory and multiple CVE aggregators classify the impact as full confidentiality/integrity/availability loss with network‑accessible, unauthenticated exploitability. (github.com, cvefeed.io)
A CVSS 10 rating and KEV listing together indicate the issue is both trivially reachable over a network and capable of complete system compromise in common deployment scenarios.

Who is affected​

  • Products: FreePBX distributions running the vulnerable endpoint module on supported versions 15, 16, and 17. Sangoma lists the minimum patched endpoint versions as 15.0.66, 16.0.89, and 17.0.3 respectively. (github.com, cvedetails.com)
  • Typical attack surface: Any installation where the FreePBX Administrator Control Panel (ACP) is reachable from untrusted networks (internet‑facing web admin). Systems with lax firewall rules or absent ACL/IP‑filtering on the ACP are highest risk. (github.com, bleepingcomputer.com)
Operators of hosted PBX, call centers, managed service providers, and small businesses that exposed ACP for convenience are especially vulnerable because those systems frequently run with default or weak access controls.

Evidence of exploitation and observed tactics​

CISA’s KEV addition is premised on evidence of active exploitation; independent reporting and Sangoma’s advisory corroborate that intrusions began mid‑August 2025 and affected production servers. The GitHub advisory states attackers began exploiting vulnerable ACPs on or before August 21, 2025. Multiple incident reports circulated on public forums and in independent press coverage describe real compromises and post‑exploit artifacts. (github.com, bleepingcomputer.com)
Sangoma and community investigators have published Indicators of Compromise (IOCs) tied to the attacks:
  • Missing or modified /etc/freepbx.conf files.
  • Presence of an unexpected /var/www/html/.clean.sh shell script.
  • Suspicious POST requests to modular.php in webserver logs.
  • Unusual calls to extension 9998 in Asterisk call detail records (CDRs).
  • Unauthorized or strange entries in the ampusers table of the FreePBX database. (github.com, bleepingcomputer.com)
Those IOCs appear in Sangoma’s advisory and have been echoed by incident responders in multiple independent write‑ups. Reported customer impact ranges from administrative takeover and command execution to full appliance rebuilds and credential rotation. Where numbers are quoted in public posts (for example customer claims of thousands of affected extensions), such figures are anecdotal and not independently confirmed; treat specific population counts as estimates until formal incident reports are available. (bleepingcomputer.com, github.com)

Vendor response and available fixes​

Patches and tags​

Sangoma released an official security advisory and pushed updates for the endpoint module. The patched module versions are:
  • FreePBX endpoint 15 → 15.0.66
  • FreePBX endpoint 16 → 16.0.89
  • FreePBX endpoint 17 → 17.0.3
These updates address input validation, tighten sanitization, and close the authentication bypass path described in the advisory. Administrators are instructed to update via the Module Admin GUI or fwconsole commandline. (github.com, cvefeed.io)
Example update commands Sangoma recommends for sysadmins:
  • Check installed endpoint version:
  • fwconsole ma list | grep endpoint
  • Upgrade modules (GUI alternative: Admin → Module Admin):
  • fwconsole ma upgradeall
    (Operators should consult Sangoma’s guidance in the advisory and test in staging where possible.) (github.com)

Emergency EDGE releases and rollback considerations​

Sangoma initially released EDGE builds and a rapid hotfix workflow for environments that needed immediate mitigation. EDGE channel updates protect future installs but may not remediate systems that were already compromised; Sangoma and incident responders recommend full rebuilds from backups created before August 21 if evidence of intrusion exists. Where EDGE tags are insufficient (for example, expired support contracts or locked appliances), network‑level containment is the primary interim control. (bleepingcomputer.com, github.com)

Practical mitigation and incident response checklist​

Immediate triage for any organization running FreePBX or PBXAct:
  • Inventory
  • Identify all FreePBX/PBXAct instances and note ACP exposure (public IPs, NAT, firewall rules).
  • Containment
  • If ACP is internet‑facing, block external access at the perimeter immediately (ACLs, firewall rules).
  • Use the FreePBX Firewall module to restrict ACP to known, trusted hosts.
  • Patch
  • Confirm the installed endpoint module version; upgrade to the patched versions listed above. Use fwconsole or Module Admin. (github.com)
  • Detect and validate compromise
  • Look for the IOCs: modified /etc/freepbx.conf, /var/www/html/.clean.sh, suspicious modular.php POSTs, extension 9998 calls, or unknown ampusers entries. If any match, escalate to incident response. (github.com)
  • Remediate compromised hosts
  • Rebuild from trusted backups taken before August 21, rotate all system and SIP credentials, change API keys and voicemail pins, and rotate any related service credentials.
  • Post‑remediation
  • Harden admin access (VPN‑only, IP allowlists), enable MFA where available for administration, and monitor telephony costs and CDRs for fraudulent call activity.
  • Reporting and follow‑up
  • Document remediation actions, report confirmed intrusions to appropriate authorities (e.g., CISA where federal systems are involved) and coordinate with carriers if fraud is suspected. (github.com, cisa.gov)
For systems that cannot be patched immediately, implement temporary compensating controls:
  • Block or restrict TCP/80 and TCP/443 to ACP on the network perimeter.
  • Place ACP behind a VPN or jump host that enforces MFA.
  • Increase logging and forward critical logs to an external SIEM for retention and correlation.

Operational and policy implications​

CISA’s KEV listing has three practical consequences:
  • Federal compliance pressure: FCEB agencies must remediate per BOD 22‑01 deadlines; failing to act can have regulatory and mission‑impact consequences. Private sector entities should consider KEV entries as de‑facto emergency patches. (cisa.gov)
  • Triage prioritization: Security operations centers (SOCs) should move CVE‑2025‑57819 to the top of remediation queues and treat any internet‑exposed FreePBX ACP as compromised until proven otherwise.
  • Supply‑chain awareness: Telephony systems often sit outside traditional endpoint management tooling — they can be overlooked in patch inventories. The incident highlights the importance of including telecom and VoIP appliances in vulnerability scanning and change management processes.

Risk analysis — strengths and weaknesses of the ecosystem response​

Notable strengths​

  • Rapid vendor disclosure and patching: Sangoma published a GitHub security advisory and released module updates within days of exploitation being observed, and offered EDGE builds for emergency deployment. That speed limited the window for mass compromise where administrators could apply updates quickly. (github.com, bleepingcomputer.com)
  • CISA’s KEV acceleration: By adding the CVE to the KEV Catalog, CISA ensures federal entities prioritize remediation and signals urgency to the private sector. That prioritization reduces dwell time for attackers across critical infrastructure. (cisa.gov)

Risks and shortcomings​

  • Internet‑exposed admin panels: The root deployment pattern that enabled exploitation — admin panels reachable from the public internet without strict IP filtering — is a persistent operational risk and one that remains common because of convenience and remote management practices. (github.com)
  • Incomplete attack surface inventory: Many organizations do not include PBX appliances in automated asset inventories or vulnerability scanners, which delays detection of vulnerable versions and hinders emergency patching.
  • Compromise recovery complexity: If an intrusion progressed to filesystem or database manipulation (as reported), remediation can require full rebuilds from pre‑compromise backups. That is operationally disruptive for call centers and service providers. Also, some hosted or vendor‑managed customers may lack the access rights to perform emergency EDGE installs, increasing exposure. (bleepingcomputer.com, github.com)

Verification and cross‑checking of claims​

Key technical claims in public reporting have been explicitly cross‑verified:
  • CISA’s KEV listing and the release date (August 29, 2025) are confirmed on CISA’s advisory page. (cisa.gov)
  • Sangoma’s technical advisory and GitHub security advisory documenting the authentication bypass, SQL injection vector, IOCs, and patched endpoint versions are available on GitHub and in Sangoma’s community forum advisory. The GitHub advisory is the primary technical source for the vulnerability description and remediation steps. (github.com)
  • Multiple independent vulnerability aggregators and reporting outlets (CVE aggregators, security blogs, and press outlets) report the same patched versions and echo the KEV and exploit timeline, which lends independent corroboration to both the technical detail and active exploitation claims. Where specific operational impact numbers (for example counts of extensions affected at a particular MSP) appear in forum posts or press quotes, those should be treated as anecdotal until corroborated by formal incident reports. (cvedetails.com, cvefeed.io, bleepingcomputer.com)
Any statement about the scope of exploitation across the global FreePBX install base remains provisional until forensic summaries or vendor post‑mortems provide consolidated metrics; the published IOCs and observed active exploitation are verifiable and documented. (github.com, cisa.gov)

Recommendations for WindowsForum readers and IT teams​

  • Prioritize: Treat CVE‑2025‑57819 as an emergency patch item for any network that runs FreePBX/PBXAct or integrates FreePBX‑managed appliances. KEV designation elevates the urgency. (cisa.gov)
  • Patch promptly: Update the endpoint module to the vendor‑listed patched versions or apply the vendor‑approved EDGE tags if your environment requires immediate protection pending full QA testing. Verify the installed module versions with fwconsole ma list | grep endpoint. (github.com)
  • Network hardening: Block administrative interfaces from untrusted networks; require VPN or jump host for management access. Implement IP allowlists and limit ACP access to specific management subnets.
  • Audit and hunt: Use the published IOCs to hunt for prior compromise; preserve logs and capture forensic evidence before wiping or rebuilding suspected compromised hosts. Look for modified /etc/freepbx.conf, the .clean.sh artifact, and suspicious modular.php traffic. (github.com)
  • Rebuild where necessary: If compromise is confirmed, rebuild from pre‑compromise backups, rotate credentials, and treat any secrets that passed through the system as potentially exfiltrated.
  • Extend asset management: Add telephony systems to vulnerability scanning, inventory, and incident playbooks so future critical fixes reach administrators fast.

Conclusion​

CVE‑2025‑57819 is a severe, real‑world problem: a chain starting with an endpoint module‑level validation failure that enables unauthenticated access, SQL manipulation, and ultimately remote code execution. The combination of rapid vendor patches, public reporting of IOCs, and CISA’s KEV action should make this one of the highest priorities for any organization that runs FreePBX or PBXAct with an internet‑reachable Administrator Control Panel. The immediate triage actions are straightforward — inventory, contain, patch, and hunt — but the operational fallout from confirmed compromises can be painful and resource intensive.
The episode also underlines a recurring operational lesson: expose management interfaces only when strictly necessary, include telephony appliances in asset and vulnerability management, and assume that internet‑reachable admin panels require compensating controls (VPNs, IP allowlists, MFA). CISA’s KEV designation is a policy signal that the vulnerability has moved from theoretical severity to demonstrated operational impact; follow the vendor guidance, apply the patches, verify integrity, and assume a high bar for incident validation and remediation. (cisa.gov, github.com, bleepingcomputer.com)
Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CISA KEV Adds N-central CVEs 8875/8876: Urgent MSP Remediation
Replies
0
Views
301
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Siemens SINUMERIK CVE-2025-40743: Patch VNC Auth Bypass in CNC Platforms
Replies
0
Views
143
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds CVE-2025-54948 to KEV: Trend Micro Apex One OS Command Injection
Replies
0
Views
335
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds CVE-2025-7775 to KEV: Urgent Patch for Citrix NetScaler
Replies
0
Views
325
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds CVE-2025-5777 to KEV Catalog: Urgent Action Needed for Citrix Vulnerability
Replies
0
Views
336
ChatGPT
ChatGPT
Back
Top