Active Exploitation of FreePBX Zero-Day Vulnerability CVE-2025-57819
Summary
Hide β²
Show βΌ
A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. The vulnerability affects versions 15, 16, and 17 of FreePBX. Exploitation began on or before August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Users are advised to upgrade to the latest supported versions and restrict public access to the administrator control panel. Sangoma has released patches for the vulnerability and provided indicators-of-compromise (IOCs) to help administrators detect exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply fixes by September 19, 2025.
Timeline
-
02.09.2025 21:11 π° 1 articles
Sangoma releases patches and IOCs for CVE-2025-57819
Sangoma has released emergency patches for the zero-day vulnerability CVE-2025-57819 in FreePBX versions 15, 16, and 17. The flaw, due to insufficient sanitization of user-supplied data, allows unauthenticated access to the FreePBX Administrator, enabling database manipulation and remote code execution. Sangoma has provided indicators-of-compromise (IOCs) and recommended restoration steps. Users are advised to update to patched versions, lock down administrator access, and ensure servers are protected by a firewall. The flaw is in the commercial 'endpoint' module. There is a current issue in the v17 'framework' module that may prevent automated update notification emails.
Show sources
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
29.08.2025 12:44 π° 2 articles
Zero-day in FreePBX versions 15, 16, and 17 actively exploited since August 21, 2025
A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. Exploitation began on or before August 21, 2025, targeting systems with inadequate IP filtering or ACLs. Users are advised to upgrade to the latest supported versions and restrict public access to the administrator control panel. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply fixes by September 19, 2025. Sangoma has released patches for the vulnerability and provided indicators-of-compromise (IOCs) to help administrators detect exploitation. The flaw is in the commercial 'endpoint' module. There is a current issue in the v17 'framework' module that may prevent automated update notification emails.
Show sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
Information Snippets
-
FreePBX is an open-source PBX platform built on Asterisk, widely used for managing voice communications.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
The vulnerability, CVE-2025-57819, has a CVSS score of 10.0, indicating maximum severity.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
Affected versions include FreePBX 15 prior to 15.0.66, FreePBX 16 prior to 16.0.89, and FreePBX 17 prior to 17.0.3.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
Exploitation began on or before August 21, 2025, targeting systems with inadequate IP filtering or ACLs.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
Initial access was combined with other steps to potentially gain root-level access on the target hosts.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
Users are advised to upgrade to the latest supported versions and restrict public access to the administrator control panel.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
Indicators of compromise include modified or missing /etc/freepbx.conf, presence of /var/www/html/.clean.sh, suspicious POST requests to modular.php, unusual calls to extension 9998, and suspicious users in the ampusers database.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
-
CISA has added CVE-2025-57819 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply fixes by September 19, 2025.
First reported: 29.08.2025 12:44π° 2 sources, 2 articlesShow sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available β thehackernews.com β 29.08.2025 12:44
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers β www.securityweek.com β 02.09.2025 21:11
Similar Happenings
CVE-2025-5086 in DELMIA Apriso Exploited in the Wild
A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.
Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations
The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.
Critical SessionReaper vulnerability patched in Adobe Commerce and Magento Open Source
Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. This flaw, with a CVSS score of 9.1, could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Adobe Commerce on Cloud customers were already protected by a WAF rule deployed as an interim measure. The vulnerability is considered one of the most severe in the platform's history, with potential for widespread exploitation. Administrators are advised to apply the patch immediately, as it disables certain internal Magento functionalities that may affect custom or external code. The affected versions include Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier. The affected versions also include Adobe Commerce B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. The affected versions include Magento Open Source 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, and 2.4.5-p14 and earlier. The Custom Attributes Serializable module versions 0.1.0 to 0.4.0 are also affected.
Critical SAP NetWeaver Command Execution Vulnerabilities Patched
SAP has patched three critical vulnerabilities in NetWeaver, its middleware for business applications. The most severe flaw, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via insecure deserialization. Two other critical issues, CVE-2025-42922 and CVE-2025-42958, enable authenticated users to upload arbitrary files and unauthorized users to access administrative functions. These vulnerabilities affect SAP's ERP, CRM, SRM, and SCM applications, widely used in large enterprise networks. The patches come amid ongoing exploitation of another critical SAP vulnerability, CVE-2025-42957, which affects S/4HANA, Business One, and NetWeaver products. SAP released 21 new and four updated security notes on September 2025 patch day, including updates for NetWeaver AS ABAP and other SAP products. SAP has also released a patch for a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1).
Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957
A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.