Sangoma warns of an actively exploited FreePBX zero-day affecting systems with publicly exposed admin control panels.The Sangoma FreePBX Security Team addressed an actively exploited FreePBX zero-day vulnerability, tracked as CVE-2025-57819 (CVSS score of 10.0), impacting systems with an internet-facing administrator control panel (ACP).FreePBX is an open-source telephony software platform that provides a web-based graphical interface for managing Asterisk, the most widely used open-source PBX (Private Branch Exchange).With FreePBX, organizations can set up and manage features like:VoIP (Voice over IP) callsCall routing and extensionsVoicemail, call recording, and conferencingInteractive Voice Response (IVR) menusIntegration with SIP trunks and phonesEssentially, it turns a standard server (or cloud instance) into a fully functional business phone system.The root cause of the issue is insufficiently sanitized user-supplied data, which allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution.Project administrators revealed that an attacker exploited a flaw in FreePBX v16–17’s “endpoint” module on exposed systems, chaining it with other steps to gain possible root access.“Starting on or before August 21st, 2025, an unauthorized user began accessing multiple FreePBX version 16 and 17 systems that were connected directly to the public internet — systems with inadequate IP filtering/ACLs — by exploiting a validation/sanitization error in the processing of user-supplied input to the commercial “endpoint” module.” reads the advisory. “This initial entry point was then chained with several other steps to ultimately gain potentially root level access on the target systems.”The vulnerability impacts:FreePBX 15 prior to 15.0.66FreePBX 16 prior to 16.0.89, andFreePBX 17 prior to 17.0.3Users are urged to update FreePBX, restrict public ACP access, and check for IoCs, including:File /etc/freepbx.conf recently modified or missingFile /var/www/html/.clean.sh should not exist on normal systemsPOST requests to modular.php in web server logs likely not legitimate trafficPhone calls placed to extension 9998 in call logs and CDRs are unusual – unless previously configuredSuspicious ampuser user in the ampusers database table or other unknown usersAccording to Netlas researchers, most of the potentially vulnerable systems are in the US, followed by Russia and Germany.CVE-2025-57819: Auth Bypass in FreePBX Administrator, 10.0 rating A critical 0-day vuln in FreePBX could allow an attacker to perform SQLi and RCE. Exploitation has already been observed in the wild!Search at https://t.co/hv7QKSqxTR: Link: https://t.co/tYMjnmD0wF pic.twitter.com/MkbjClw21H— Netlas.io (@Netlas_io) August 29, 2025Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, zero-day)