Sangoma's FreePBX security team issued an emergency warning about an actively exploited zero-day vulnerability, CVE-2025-57819, affecting systems with exposed administrator control panels, with a maximum severity score of 10.0.

The vulnerability, which has been exploited since August 21, allows unauthenticated users to access the admin interface, leading to remote code execution and database manipulation due to insufficient input sanitization.

Most affected systems are located in the US, Russia, and Germany, with around 3,000 SIP extensions and 500 trunks impacted across multiple infrastructures.

Attackers have used this flaw to escalate privileges to root level, increasing the risk of severe system compromise, including dropping backdoors and further malicious activities.

Indicators of compromise include modifications to configuration files, malicious scripts like /var/www/html/.clean.sh, suspicious Apache log entries, unusual call patterns, and unauthorized database entries.

The root cause of the vulnerability is insufficient sanitization of user input, which allows unauthenticated access to the admin interface and potential remote code execution.

Exploited versions include FreePBX 15 before 15.0.66, 16 before 16.0.89, and 17 before 17.0.3, with attackers chaining multiple steps to gain root access on exposed systems.

The initial breach was detected on or before August 21, 2025, especially targeting systems with poor security configurations like inadequate IP filtering.

Security experts warn that active exploitation has been observed in the wild, with attackers deploying backdoors, and advise immediate disconnection of vulnerable systems to prevent further damage.

Sangoma has released a fix via an EDGE module for testing, with plans for a standard security update later that day, though some systems may already be compromised.

The vulnerability has been exploited to breach multiple servers, affecting approximately 3,000 SIP extensions and 500 trunks across various infrastructures.

Users are strongly advised to update FreePBX to the latest versions, restrict access to the admin interface, and thoroughly check their environments for indicators of compromise, including suspicious scripts, configuration modifications, and unusual call activity.