The Sangoma FreePBX Security Team has issued an urgent advisory after confirming active exploitation of a previously unknown vulnerability in FreePBX systems whose Administrator Control Panel (ACP) is reachable from the public internet. The company posted the alert on its forums on August 21 and said a temporary EDGE module fix was available for testing, with a standard security release scheduled shortly thereafter. Sangoma advised restricting ACP access to known, trusted hosts via the Firewall module until the full patch is deployed.
Platforms Affected and Conditions that Create Exposure
FreePBX is an open-source PBX platform built on Asterisk and commonly used by businesses, call centers, and service providers. Sangoma warned that FreePBX v16 and v17 installations may be impacted if two conditions coexist: (a) the Endpoint module is installed, and (b) the FreePBX Administrator login page is directly exposed to hostile networks, for example, the public internet. Systems meeting both criteria are at elevated risk of compromise.
Emergency Fixes Released for Testing and Standard Patch Timeline
Sangoma released an EDGE module to protect future installations and indicated a standard security release would follow. Administrators were given commands to install the EDGE release for testing:
- For FreePBX v16 or v17:
fwconsole ma downloadinstall endpoint --edge
- For PBXAct v16:
fwconsole ma downloadinstall endpoint --tag 16.0.88.19
- For PBXAct v17:
fwconsole ma downloadinstall endpoint --tag 17.0.2.31
Sangoma cautioned that the EDGE fix protects fresh installs going forward but is not a cure for already-compromised systems. Some users reported expired support contracts prevented applying the EDGE update, leaving those devices unprotected until the standard security release.
Reports of Successful Breaches and Operational Impacts From Customers
Following Sangoma’s advisory, multiple FreePBX customers reported successful intrusions traced to the vulnerability. One infrastructure operator stated dozens of servers were compromised, affecting approximately 3,000 SIP extensions and 500 trunks. Affected organizations reported locking administrator access, restoring systems to pre-attack states, and investigating the scope of unauthorized activity.
Individual users described the exploit as allowing arbitrary command execution as the asterisk user, enabling attackers to run any command permitted to that user. Reported operational impacts include unauthorized calling activity, potential toll fraud, and the need to review call records and billing for abuse.
Indicators of Compromise Reported by Sangoma and Community Researchers
Sangoma and customers published a set of indicators that administrators can use to detect exploitation. Key IOCs include:
- Missing or modified
/etc/freepbx.confconfiguration file. - Presence of a suspicious
/var/www/html/.clean.shshell script believed to be uploaded by attackers. - Unusual Apache access log entries targeting
modular.php. - Calls or call attempts to extension 9998 in Asterisk logs, with activity traced back to August 21.
- Unauthorized entries in the
ampuserstable of MariaDB/MySQL, notably a suspiciousampuserusername in the leftmost column.
Sangoma advised that systems matching these indicators should be considered compromised until proven otherwise.
Recommended Remediation Steps Provided by Sangoma for Compromised Hosts
Sangoma’s guidance to affected administrators is consistent with the company’s advisory: restore systems from backups created prior to August 21, deploy patched modules on fresh systems, and rotate all system and SIP-related credentials. Administrators are also urged to block public access to the ACP until the standard security update is installed and to verify firewall rules limit Administrator access to trusted hosts.
Detection, Triage, and Post-Compromise Actions Reported by Affected Organizations
Organizations that reported compromises indicated incident response actions typically included quarantining compromised PBX instances, restoring from clean backups, auditing user and extension lists, and checking billing for unauthorized international calls. Because attackers may have created backdoor scripts or altered configurations, Sangoma recommends fresh deployments of patched modules rather than in-place remediation where compromise is confirmed.
Why this Vulnerability is Operationally Significant for Voice Infrastructures
FreePBX deployments often sit at the edge of enterprise telephony infrastructures and directly mediate SIP trunks, extensions, voicemail, and call routing. An exploit that allows command execution as the asterisk user can rapidly affect service availability, enable persistent backdoors in telephony stacks, and lead to immediate financial exposure through toll fraud. The combination of exposed admin panels and installed Endpoint modules was specifically flagged as enabling the attack surface leveraged by intruders.
MITRE ATT&CK Mapping For FreePBX Zero-Day Exploitation
| Tactic (MITRE ATT&CK) | Likely Technique | ID | Notes On Applicability |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | ACP exposed to internet exploited to gain entry. |
| Execution | Command and Scripting Interpreter | T1059 | Arbitrary commands executed as the asterisk user. |
| Persistence | Modify System Process / Create or Modify Scripts | T1543 | Uploaded .clean.sh may establish persistence. |
| Discovery | File and Directory Discovery | T1083 | Attackers enumerate config and credential files. |
| Credential Access | Credentials From Database | T1555 | Unauthorized ampusers DB entries indicate credential manipulation. |
| Impact | Fraudulent Operations / Resource Hijacking | T1499 / T1486 | Unauthorized calls (toll fraud) and service disruption. |
For the Stakeholders
Indicators of Compromise: Missing or modified /etc/freepbx.conf, /var/www/html/.clean.sh, suspicious modular.php Apache logs, calls to extension 9998, and unauthorized ampusers DB entries.
Actions Taken by Vendor: Sangoma provided an EDGE module fix for testing and announced a standard security release. The vendor advised limiting ACP access to trusted hosts via the Firewall module and recommended restoration from pre-attack backups for compromised instances.
Immediate Priorities for Affected Organizations:
- Treat exposed Administrator panels as high risk and block public access until patched.
- If compromise is confirmed, restore from backups dated before August 21 and redeploy patched modules on fresh systems.
- Rotate system and SIP credentials and review call records for unauthorized activity.
Closing Note: Administrators with expired support contracts reported difficulty installing EDGE updates; such systems remain at risk until they can receive the standard security release. Organizations should validate ACP exposure and investigate IOCs immediately.
