A critical vulnerability in FreePBX has recently been exploited worldwide, leaving hundreds of phone systems compromised and thousands more still at risk. The flaw, tracked as CVE-2025-57819, affects the endpoint module in FreePBX versions 15, 16, and 17. Attackers can bypass authentication, manipulate databases, and achieve remote code execution without valid login credentials.

Check out our annotated CVE report on this FreePBX vulnerability for the latest tips on how to mitigate and prevent being susceptible. 

Timeline of Events

Malicious activity was observed as early as August 21, 2025, before patches were available. On August 26 a temporary fix was released, followed by a stable update on August 28. Administrators are urged to update immediately using the FreePBX Control Panel or by running:

fwconsole ma upgradeall

According to research from the Shadowserver Foundation, more than 6,600 FreePBX servers remained exposed a day after the patch was published, and at least 400 systems had already been compromised, including 18 in the Netherlands.

How to Check if Your System is Exposed

First, confirm whether the FreePBX Administrator panel is accessible from the public internet. If so, immediately restrict access using the FreePBX Firewall module and allow only trusted IP addresses. You can test this by trying to reach the admin panel from another device, such as your mobile phone on cellular data.

Next, check your system for signs of compromise:

• Look for unusual files, such as /var/www/html/.clean.sh.
• Search Apache logs for requests to modular.php:

  zgrep modular.php /var/log/{httpd,apache2}/access*

• Search Asterisk logs for calls to extension 9998:

  grep 9998 /var/log/asterisk/full*

• Check the database for unexpected user accounts:

  mysql -e "SELECT * FROM ampusers" asterisk

If any of these checks raise red flags, treat the system as compromised: restore from a known good backup, rotate all credentials, and review call records for fraud.

Protecting FreePBX Systems

The immediate priorities are clear: patch FreePBX to the latest version, lock down the administrator interface, and verify backups. Even if no compromise is found, now is the right time to test restoration procedures and improve monitoring for unusual activity.

How BaseFortify Helps

BaseFortify.eu provides organizations with clear, actionable intelligence on vulnerabilities like CVE-2025-57819. It shows whether affected software is present in your environment, highlights detection commands, and outlines concrete steps to mitigate risk. With attack scenarios and tailored guidance, BaseFortify helps teams understand not just that a vulnerability exists, but how it could impact their systems — and what to do next.

References

• FreePBX Community Security Advisory
• CVE-2025-57819 Report on BaseFortify
• Security.nl Coverage (Dutch)