FreePBX servers have come under attack after hackers found a new zero-day vulnerability. The company behind the software, Sangoma, has confirmed that criminals are already using this flaw to break into systems. An emergency patch has now been released to fix the issue, and all administrators are being told to act quickly.

The problem is in the FreePBX Administrator Control Panel (ACP) when it is open to the public internet. The bug, listed as CVE-2025-57819, is very serious. It allows attackers to send harmful requests that the system does not properly check. By doing this, they can access the admin panel without permission and make dangerous changes.

Reports suggest that the attacks started around August 21, 2025. Some administrators noticed their servers acting strangely before the official warning was published on August 26, 2025. By then, Sangoma had already seen signs of active exploitation and rushed out advice and fixes.

The flaw is connected to the Endpoint Manager module in FreePBX. Servers that have this module installed and leave the admin panel open to the internet are the most at risk. On the other hand, servers that limit admin access to trusted IPs are much safer. Still, anyone not running the patched versions is in danger.

This vulnerability is especially dangerous because it does not need any login details to work. Once an attacker uses it, they can run commands as the Asterisk user. In many cases, this could allow them to change system settings, listen to or redirect calls, and even install more harmful software. Several admins have already reported that their systems were compromised.

To respond quickly, Sangoma released an emergency “EDGE” update. Administrators could apply this temporary fix with the command:
fwconsole ma downloadinstall endpoint –edge
For PBXAct users, special version tags were released, like –tag 17.0.2.31 for PBXAct v17. Shortly after, fully patched stable versions were also published: FreePBX 15 was updated to 15.0.66, FreePBX 16 to 16.0.89, and FreePBX 17 to 17.0.3.

It is important to understand that these patches only stop new attacks. They do not clean up a system that has already been hacked. If administrators think their server is already infected, the advice is to isolate it immediately, check logs, and follow proper incident response steps. In some cases, restoring from a safe backup may be the only way to fully recover.

Sangoma has also given guidance on what to look for. Administrators should check web server logs for unusual POST requests to /admin/modules/endpoint. They should also look for unexpected file changes, strange accounts, or new entries under the FreePBX webroot. If updating is not possible due to expired support contracts, at the very least, access to the admin panel should be blocked using firewalls.

This case shows the risks of leaving admin panels exposed to the internet. Even trusted software can have unknown security holes, and attackers are often quick to find and exploit them. Limiting access to only trusted IP addresses and applying patches as soon as they are released are two simple but critical steps.

With FreePBX used by many organizations worldwide, the damage could be huge if updates are delayed. The best action right now is to install the patch, block public access to the admin panel, and carefully watch for any signs of suspicious activity. Acting fast can make the difference between staying safe and facing a costly breach.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news