FreePBX Servers Hit by 0-Day Exploit, Disable Internet Access Advised

FreePBX administrators worldwide have been urged to immediately disable public internet access to their systems after a critical 0-day vulnerability was discovered in the commercial Endpoint Manager module.

The Sangoma FreePBX Security Team confirmed that attacker-controlled exploit code can gain unauthenticated remote code execution on systems with the Administrator Control Panel exposed to hostile networks, prompting an urgent advisory on August 26 and a follow-up update last night urging continued lockdown measures.

According to Sangoma, the vulnerability affects FreePBX versions 16 and 17 when the Endpoint module is installed and accessible via ports 80 or 443.

Exploitation leads to privilege escalation and remote command execution under the web server user, allowing threat actors to deploy cleanup scripts, install persistent backdoors, and exfiltrate call detail records.

Although no widespread public attribution has emerged, community reports indicate initial compromises began on August 21, with operators first noticing web interface failures and anomalous Apache POST requests targeting modular.php.

In its initial advisory, the security team detailed expected deployment of a stable fix within 36 hours and provided an EDGE-channel update for immediate testing.

FreePBX users on v16 can run “fwconsole ma downloadinstall endpoint –tag 16.0.88.19,” while v17 administrators should use “fwconsole ma downloadinstall endpoint –tag 17.0.2.31.”

Those still running EDGE pre-releases are advised to confirm module versions via the Admin → Module Admin menu once the stable release is published. PBXAct appliances follow the same update commands.

Operators are instructed to inspect their systems for indicators of compromise by checking for the presence of the malicious “.clean.sh” file in /var/www/html, verifying integrity of /etc/freepbx.conf, and searching web server logs for POST requests to modular.php dating back to August 21.

Asterisk logs should be scanned for calls to extension 9998, and MariaDB logs reviewed for unexpected ampuser entries.

If any of these signs are detected, administrators are advised to take a full forensic snapshot or re-install from a known clean backup dating before the suspected compromise.

Immediate containment measures include restricting the Administrator Control Panel to trusted IP addresses via the FreePBX Firewall module, or better yet, placing the PBX behind a VPN or isolated management VLAN.

Operators without the Endpoint Manager installed can consider their systems at lower risk but should still audit exposure and confirm no unauthorized modules are active.

Beyond containment, the Sangoma team recommends a full restoration procedure: preserving pre-attack backups to offline media, deploying a fresh FreePBX instance with updated modules, and restoring configuration to the new host.

All credentials—from SIP trunks to voicemail PINs—should be rotated. For organizations lacking recent backups, temporary clean-up may suffice to maintain service, but a full reinstall is strongly preferred.

With a comprehensive security release expected imminently, administrators should prioritize locking down internet access and applying the endpoint module patch as soon as it exits EDGE testing.

The Sangoma FreePBX Security Team continues to monitor the incident and will publish a formal CVE and post-mortem once the investigation concludes.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!