CVE-2025-57819: Unauthenticated RCE Threatens FreePBX Systems Globally

CVE-2025-57819 (CVSS 9.8) is a new maximum severity CVE affecting FreePBX versions 15, 16, and 17 if the commercial EndPoint Management (EPM) module is installed. Private Branch Exchange (PBX) is a telephony technology for routing voice calls, and often includes additional services, such as voicemail. CVE-2025-57819 is caused by insufficiently sanitised user input, resulting in SQL Injection [CWE-89] and authentication bypass [CWE-288]. According to the official advisory from Sangoma, exploitation can result in remote code execution (RCE) with root-level permissions on the underlying system. Active exploitation was reported on August 21, 2025, and CVE-2025-57819 was added to CISA’s Known Exploited Vulnerabilities (KEV) list.

Only partial technical reports have been published; proof-of-concept (PoC) exploits have not yet emerged. National CERT advisories have been issued by NCSC-NL and the Canadian Cyber Centre. The widespread deployment of FreePBX raises the potential risk posed by CVE-2025-57819. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner detection to identify vulnerable versions of FreePBX. Let’s investigate the details surrounding this high-risk CVE.

Technical Details of Cyber Attacks Targeting CVE-2025-57819

Full technical details about the root cause of CVE-2025-57819 have not been published. Existing reports indicate the flaw is an SQL Injection [CWE-89] with privilege escalation to “potentially root level access” on the underlying FreePBX system [1]. The affected product is listed as FreePBX core. However, Sangoma’s official advisory implicates the commercial EndPoint Management (EPM) add-on module.

Internally, FreePBX users and passwords are stored in the MariaDB ampusers table [2]. Once attackers determine which inputs are vulnerable to SQL Injection, they may read and write to sensitive database tables and change administrator passwords to gain admin access to the web UI. SQL Injection attacks against MariaDB are also vulnerable to arbitrary file creation.

Inspection of the FreePBX installer shows that the asterisk service user is given ownership of the web-root directory [3]. This allows a malicious web shell to gain full control of the Asterisk PBX sub-system. In fact, IoCs (Indicators of Compromise) from breach analysis indicate that web shells are being used in attacks.

Risk Assessment for CVE-2025-57819 in FreePBX EPM Module

FreePBX is widely deployed by IT service providers specializing in enterprise VoIP to deliver hosted or on-premises voice solutions. FreePBX itself is an open-source web-based interface for managing Asterisk, a voice-over-IP (VoIP) PBX system. CVE-2025-57819 affects Sangoma FreePBX versions 15, 16, and 17 if the EndPoint Manager (EMP) module is installed and attackers can access the Administrator interface. If the EMP module is not installed, or the FreePBX Administrator UI is protected from access by malicious actors, then a system is not at risk.

There is strong evidence that the potential global impact of CVE-2025-57819 is high. The CVE’s critical CVSS severity implies that total compromise of a FreePBX host is possible via unsophisticated attacks. Furthermore, CVE-2025-57819 has a high EPSS in the ≥97th risk percentile of CVEs. A Shodan filter for the webpage title “FreePBX Administrator” shows more than 12,000 exposed instances. If even a fraction of these are using the commercial EPM module, there could be significant fallout from this vulnerability.

Evidence from real-world breaches leveraging CVE-2025-57819 has reportedly resulted in total control of a FreePBX system. Attackers have a variety of options for extending their attack against a victim. These attacks may include:

• Full control of a FreePBX instance could allow attackers to intercept and monitor SIP traffic, collect communication metadata, call recordings, or voicemail systems [T1123]
• Escalate to root-level privileges on the compromised Linux sub-system [T1068]
• Theft of sensitive data [T1005] could provide context for future social engineering attacks, including phishing [T1660] or vishing [T1598.004] for credentials to an organization’s IT infrastructure
• Attackers could gain persistence [TA0003] and stealthy command and control (C2) access to FreePBX systems [TA0011]
• Lateral movement to other internal network systems [TA0008]
• Ransomware deployment [T1486] and financial extortion of victims [T1657]

Mitigating CVE-2025-57819 in FreePBX

According to Sangoma’s official advisory, complete mitigation requires users to upgrade FreePBX core to versions 15.0.66, 16.0.89, or 17.0.3, and the commercial EMP module to the corresponding fixed releases — 16.0.88.19 for FreePBX 16 and 17.0.2.31 for FreePBX 17, or apply the interim –edge build if advised by the vendor. If users cannot upgrade, they may reduce their risk by restricting access to the FreePBX Administrator IP address. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner detection to identify vulnerable versions of FreePBX.

Observed IoCs include arbitrary file creation with filenames such as .clean.sh, monitor.php, backend.php, .conf_, and modified /etc/freepbx.conf configuration files [1][2]. These IoCs indicate that PHP web shells are used to execute OS commands. Breach forensic analysis has also uncovered evidence of persistence mechanisms and stealthy log-scrubbing techniques. Users should assume compromise has taken place if modified configuration files, suspicious PHP files, or rogue database users are detected.

Summary

CVE-2025-57819 poses a high-severity risk to organizations running FreePBX with the commercial EPM module. Evidence shows exploitation can result in unauthenticated RCE with root permissions and full system takeover. Due to the sensitive nature of voice communications, there is potential for surveillance or VoIP DoS. An estimated 12,000+ FreePBX instances are exposed. Administrators should verify their use of the commercial EPM module and urgently patch both FreePBX and the EPM module. Further protection can be gained by restricting access to the Administrator UI, and IT security teams should hunt for IoCs on vulnerable systems.