CVE-2025-57819
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-10-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangoma | freepbx | From 15.0 (inc) to 15.0.66 (exc) |
| sangoma | freepbx | From 16.0 (inc) to 16.0.89 (exc) |
| sangoma | freepbx | From 17.0 (inc) to 17.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57819 is a critical security vulnerability in the FreePBX commercial 'endpoint' module versions 15, 16, and 17. It arises from insufficient sanitization of user-supplied input, allowing unauthenticated attackers to bypass authentication and gain unauthorized access to the FreePBX Administrator interface. This access enables attackers to manipulate the database arbitrarily via SQL injection and escalate to remote code execution (RCE), potentially compromising the entire system. The vulnerability is exploitable when the Administrator Control Panel is exposed to the public internet without proper access restrictions. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on your FreePBX system, leading to full system compromise. Attackers can manipulate the database, create backdoors, and potentially control SIP extensions and trunks. Evidence of compromise includes suspicious files, unusual log entries, and unknown database users. The exploit can result in loss of confidentiality, integrity, and availability of your telephony system, potentially causing service disruption, unauthorized calls, and exposure of sensitive data. Recovery requires patching, password rotation, system restoration from clean backups, and forensic analysis. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for signs of compromise and suspicious activity related to the FreePBX endpoint module. Key indicators include: 1) Presence of the file /var/www/html/.clean.sh, which is a leftover from the exploit script. 2) Reviewing Apache web server logs for suspicious POST requests to modular.php dating back to at least August 21, 2025. 3) Checking Asterisk logs for calls to extension 9998, which is unusual unless explicitly configured. 4) Inspecting the ampusers database table for suspicious or unknown users. Suggested commands include: - Check for the suspicious file: `ls -l /var/www/html/.clean.sh` - Review Apache logs for POST requests: `grep 'POST .*modular.php' /var/log/apache2/access.log` (path may vary) - Check Asterisk logs for extension 9998 calls: `grep '9998' /var/log/asterisk/full` - Query the ampusers table for unknown users: `mysql -e "SELECT username FROM ampusers;"` (adjust for your database access) - Verify the presence of /etc/freepbx.conf: `ls -l /etc/freepbx.conf` - Check endpoint module version: `fwconsole ma list | grep endpoint` [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the FreePBX Administrator interface by using the Firewall module to allow only trusted IP addresses and disabling public internet access to the ACP and related web management interfaces. 2) Upgrade the endpoint module to the latest patched version corresponding to your FreePBX version (15.0.66 or later for v15, 16.0.89 or later for v16, 17.0.3 or later for v17). This can be done via the command line using commands such as `fwconsole ma downloadinstall endpoint --tag <version>` or `fwconsole ma upgradeall`. 3) If the endpoint module is not installed, verify exposure but the system is likely safe. 4) Preserve backups from before August 21, 2025, and plan for system restoration and password rotation. 5) Monitor logs and call detail records for suspicious activity. 6) Consider forensic analysis if compromise is suspected. Note that blocking only /admin or port 1443 is insufficient; firewall restrictions on the ACP are critical. [1, 2]