FreePBX 15-17 Urgent Advisory
FreePBX versions 15,16, and 17 have a critical exploit that is being actively exploited in the wild.The exploit is believed to be related to Endpoint Manager and the Admin page access. By default EPM is installed. If you have previously uninstalled EPM, you have a fair chance, at this time, of being safe, however, don't be complacent, security has never been high on Sangoma's list, nor has being transparent.
Hands up anyone with a registered instance of FreePBX who have had an Email from them about this?
..... c r i c k e t s .....
Thought so, in fact there's still no mention as of now in the RSS feeds in Dashboard, only in the module alert notice, and a thread and now banner on their forums and we aaaalllllllllllllllllllll use their forums don't weeee ... Not to mention login every five minutes to look at the dashboard... /sarcasim/
Most people configure their PBX (regardless of what it is) and don't log in again until they need to make changes, I know of some cases where that's been years.
Everyone running one of these systems, needs to review the following information and take immediate action. Start by checking for infection or modifications by
In another check, look for an unusual username in the left column of SQL, you should also check any SQL log files for unknown users
If you get hits on these, it is highly likely your system has been exploited and you will need to fresh install your system, this includes the OS - to be safe, if you have a backup from prior to August 21st, perhaps, well before it that's still current, use that to reconfigure, reboot and then fully update your system.
Not infected?
Congrats, you've always followed my advices on securing FreePBX because Sangoma sure as hell can't be arsed doing so.
However you still need to make sure your system has been updated, I suggest you login to console and execute -
You could use the web interface as well, if after doing this you login to web interface and see Apply Config required, do it, just keeps it happy and the critical warning may appear on dashboard, just hit refresh it should go away - once you have upgraded the system.
If you don't use EPM, and lets face it, as I've mentioned before most don't need it, I never recommend using it, you can uninstall it, but this has caveats, for uninstall to work, you need to disable restapps, and for UCP to keep working you can't uninstall/disable restapps without first disabling PMS - ohhh, how I could so say something here but.... Also if you are compromised uninstalling it now is too late!
The TLDR on pissing off EPM
Next, make sure your firewall is working as desired, check from a third party network that you can't get to FreePBX web admin page freepbx.server.hostmame eg, sipserver.example.net which should direct you to sipserver.example.net/admin/config.php where you login - this should only work from your allowed IP's, such as your LAN. If you get the login page from a third party IP (using your phone mobile data by disabling WiFi is a good test) then you're firewall is not enabled, you need to resolve that - remember, if you just rebooted FreePBX, it will, as a safeguard, not enable the firewall for 5 minutes after a reboot, so don't test it right away, go make a coffee then check it.
If you don't have access to a third party system, login to your servers console, use lynx (or links as some systems prefer that variant) and use the port scanner at zonecheck.org.
Many of us predicted the coding would get worse when after v14 Sangoma started to get rid of inhouse devs who know FreePBX inside out and outsourced development to, guess which country .... yeah, so we're not really surprised are we....
This incident has been issued CVE-2025-57819 and is rated most critical with a rarely seen score of 10.0
..... c r i c k e t s .....
Thought so, in fact there's still no mention as of now in the RSS feeds in Dashboard, only in the module alert notice, and a thread and now banner on their forums and we aaaalllllllllllllllllllll use their forums don't weeee ... Not to mention login every five minutes to look at the dashboard... /sarcasim/
Most people configure their PBX (regardless of what it is) and don't log in again until they need to make changes, I know of some cases where that's been years.
Everyone running one of these systems, needs to review the following information and take immediate action. Start by checking for infection or modifications by
ls -la /etc/freepbx.conf -- (must exist but not modified since August 21)
ls -la /var/www/html/.clean.sh -- This must NOT exist
zgrep modular.php /var/log/{httpd,apache2}/access* -- Should show NO results
grep 9998 /var/log/asterisk/full* -- Should show NO results
In another check, look for an unusual username in the left column of SQL, you should also check any SQL log files for unknown users
mysql -e "SELECT * FROM ampusers" asterisk
If you get hits on these, it is highly likely your system has been exploited and you will need to fresh install your system, this includes the OS - to be safe, if you have a backup from prior to August 21st, perhaps, well before it that's still current, use that to reconfigure, reboot and then fully update your system.
Not infected?
Congrats, you've always followed my advices on securing FreePBX because Sangoma sure as hell can't be arsed doing so.
However you still need to make sure your system has been updated, I suggest you login to console and execute -
fwconsole ma upgradeall
You could use the web interface as well, if after doing this you login to web interface and see Apply Config required, do it, just keeps it happy and the critical warning may appear on dashboard, just hit refresh it should go away - once you have upgraded the system.
If you don't use EPM, and lets face it, as I've mentioned before most don't need it, I never recommend using it, you can uninstall it, but this has caveats, for uninstall to work, you need to disable restapps, and for UCP to keep working you can't uninstall/disable restapps without first disabling PMS - ohhh, how I could so say something here but.... Also if you are compromised uninstalling it now is too late!
The TLDR on pissing off EPM
fwconsole ma disable pms fwconsole ma delete restapps fwconsole ma uninstall endpointThen I suggest to make sure all is good, reboot the actual server.
Next, make sure your firewall is working as desired, check from a third party network that you can't get to FreePBX web admin page freepbx.server.hostmame eg, sipserver.example.net which should direct you to sipserver.example.net/admin/config.php where you login - this should only work from your allowed IP's, such as your LAN. If you get the login page from a third party IP (using your phone mobile data by disabling WiFi is a good test) then you're firewall is not enabled, you need to resolve that - remember, if you just rebooted FreePBX, it will, as a safeguard, not enable the firewall for 5 minutes after a reboot, so don't test it right away, go make a coffee then check it.
If you don't have access to a third party system, login to your servers console, use lynx (or links as some systems prefer that variant) and use the port scanner at zonecheck.org.
Many of us predicted the coding would get worse when after v14 Sangoma started to get rid of inhouse devs who know FreePBX inside out and outsourced development to, guess which country .... yeah, so we're not really surprised are we....
This incident has been issued CVE-2025-57819 and is rated most critical with a rarely seen score of 10.0
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded
Allysa on :
Did you read a comment from their forum rep, the options, about if license is expired to fix it, renew their license, what the actual fuck is that, like you said in another post about chanspy, sangoma only care about security if they get paid to care. Greedy fuckers.
Angry Dude on :
You weren't the only one who never got an Email from sangoma about it, nothing in my inbox or spam folder either.
Screwed over! /var/www/html/.clean.sh exists, what a fuking fun day this will be, I've told the gang I'm calmly finishing my cuppa because I wont be so nice to be around for the rest of today.
Yep I agree with you about outsourcing to those indian twats who can't code to save their own fuking life, but pay peanuts get monkeys, probably uses chat gpt, it doesnt know security, try asking it for a complete mikrotik router config with BGP, I did that start of this year, shocking on securing it.