FreePBX actively exploited authentication bypass RCE (CVE-2025-57819)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-57819 is an actively exploited FreePBX zero-day that can give attackers unauthenticated access to FreePBX Administrator and lead to arbitrary database manipulation and remote code execution. The flaw affects FreePBX 15 prior to 15.0.66, 16 prior to 16.0.89, and 17 prior to 17.0.3 when the administrator control panel is exposed to the public internet. Sangoma advised upgrading to the latest supported versions and restricting public access, while CISA added the CVE to its KEV catalog with a September 19, 2025 remediation deadline for FCEB agencies. Abuse was traced back to on or before August 21, 2025, with indicators including suspicious requests to modular.php and the presence of /var/www/html/.clean.sh.
Related Happenings
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation Wave
First: 27.02.2026 19:59
Last: 27.02.2026 19:59
Sources 1
About this happening:
More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation WaveAbout this happening: More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Fortinet FortiWeb WAF authentication bypass actively exploited authentication bypass flaw
Vulnerability
First: 14.11.2025 11:00
Last: 14.11.2025 11:00
Sources 1
About this happening:
**Fortinet FortiWeb WAF** is under **active in-the-wild exploitation** for an **authentication bypass** that can let attackers **take over admin accounts** and **fully compromise...
Fortinet FortiWeb WAF authentication bypass actively exploited authentication bypass flaw
VulnerabilityAbout this happening: **Fortinet FortiWeb WAF** is under **active in-the-wild exploitation** for an **authentication bypass** that can let attackers **take over admin accounts** and **fully compromise...
Open VSX hit by network compromise linked to GlassWorm
Incident
First: 08.11.2025 18:17
Last: 08.11.2025 18:17
Sources 1
About this happening:
**Open VSX** suffered an **account compromise** tied to **GlassWorm**, forcing **access-token rotation** for an undisclosed number of breached accounts. The incident affected a **...
Open VSX hit by network compromise linked to GlassWorm
IncidentAbout this happening: **Open VSX** suffered an **account compromise** tied to **GlassWorm**, forcing **access-token rotation** for an undisclosed number of breached accounts. The incident affected a **...
Timeline
-
02.09.2025 21:11 1 articles · 8mo ago
Sangoma releases emergency FreePBX patches for CVE-2025-57819
Mitigation Patch UpdateSangoma released emergency patches for FreePBX versions 15, 16, and 17 after finding active exploitation of CVE-2025-57819 in the commercial endpoint module. Administrators were told to lock down all administrator access, restrict remote internet access to FreePBX servers, place the servers behind a firewall, update to a patched version, and verify the endpoint module has the recommended fixes; Sangoma also published IOCs and restoration steps, and noted a v17 framework module issue that may prevent automated update notification emails.
Show sources
- Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers — www.securityweek.com — 02.09.2025 21:11
-
29.08.2025 12:44 1 articles · 9mo ago
Unauthorized user accesses internet-connected FreePBX 16 and 17 systems
Exploitation ObservedAn unauthorized user began accessing multiple internet-connected FreePBX 16 and 17 systems with inadequate IP filtering or ACLs by abusing a sanitization issue in the commercial endpoint module, with activity traced back to on or before August 21, 2025 and backdoors later reported post-compromise.
Show sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available — thehackernews.com — 29.08.2025 12:44
-
29.08.2025 12:44 1 articles · 9mo ago
Sangoma warns of actively exploited FreePBX zero-day CVE-2025-57819
Initial DisclosureSangoma's FreePBX Security Team issued an advisory warning that systems with an administrator control panel (ACP) exposed to the public internet are affected by CVE-2025-57819, a CVSS 10.0 flaw that permits unauthenticated access to FreePBX Administrator and can lead to arbitrary database manipulation and remote code execution; affected builds include FreePBX 15 prior to 15.0.66, FreePBX 16 prior to 16.0.89, and FreePBX 17 prior to 17.0.3, and operators were told to upgrade to the latest supported versions and restrict public ACP access.
Show sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available — thehackernews.com — 29.08.2025 12:44
-
29.08.2025 12:44 1 articles · 9mo ago
CISA adds CVE-2025-57819 to the KEV catalog
Legal Policy Action UpdateCISA added CVE-2025-57819 to the Known Exploited Vulnerabilities (KEV) catalog and required Federal Civilian Executive Branch agencies to apply the fixes by September 19, 2025.
Show sources
- FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available — thehackernews.com — 29.08.2025 12:44