The Sangoma FreePBX Security Team is warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with the Administrator Control Panel (ACP) is exposed to the internet.

FreePBX is an open-source PBX (Private Branch Exchange) platform built on top of Asterisk, widely used by businesses, call centers, and service providers to manage voice communications, extensions, SIP trunks, and call routing.

In an advisory posted to the FreePBX forums, the Sangoma FreePBX Security Team warned that since August 21, hackers have been exploiting a zero-day vulnerability in exposed FreePBX administrator control panels.

“​The Sangoma FreePBX Security Team is aware of a potential exploit affecting some systems with the administrator control panel exposed to the public internet, and we are working on a fix, with expected deployment within the next 36 hours,” reads the forum post.

“Users are advised to limit access to the FreePBX Administrator by using the Firewall module to limit access to only known trusted hosts.”

The team has released an EDGE module fix for testing, with a standard security release scheduled for later today.

“The EDGE module fix provided should protect future installations from infection, but it is not a cure for existing systems,” warned Sangoma’s Chris Maj.

“Existing 16 and 17 systems may have been impacted, if they a) had the endpoint module installed and b) their FreePBX Administrator login page was directly exposed to a hostile network e.g. the public internet.”

Admins wishing to test the EDGE release can install it using the following commands:

FreePBX users on v16 or v17 can run:

$ fwconsole ma downloadinstall endpoint --edge

PBXAct v16 users can run:

$ fwconsole ma downloadinstall endpoint --tag 16.0.88.19

PBXAct v17 users can run:

$ fwconsole ma downloadinstall endpoint --tag 17.0.2.31

However, some users have warned that if you now have an expired support contract, you may not be able install the EDGE update, leaving your device unprotected.

If you are unable to install the EDGE module, you should block access to your ACP until the full security update is released tonight.

Flaw actively exploited to breach servers

Since Sangoma published the advisory, numerous FreePBX customers have come forward stating that their servers had been breached through this exploit.

“We are reporting that multiple servers in our infrastructure were compromised, affecting approximately 3,000 SIP extensions and 500 trunks,” a customer posted to the forums.

“As part of our incident response, we have locked all administrator access and restored our systems to a pre-attack state. However, we must emphasize the critical importance of determining the scope of the compromise.”

“Yep my personal PBX was affected as well as one I help manage. The exploit basically allows the attacker to run any command that the asterisk user is allowed to,” another user posted to Reddit.

While Sangoma has not shared any details regarding the exploited vulnerability, the company and its customers have shared indicators of compromise that can be checked to determine if a server has been exploited.

These IOCs include:

• Missing or modified /etc/freepbx.conf configuration file.
• The presence of /var/www/html/.clean.sh shell script. This is believed to have been uploaded by the attackers.
• Suspicious Apache log entries for modular.php.
• Unusual calls to extension 9998 in Asterisk logs as far back as August 21.
• Unauthorized entries in the ampusers table of MariaDB/MySQL,  specifically looking for a suspicious “ampuser” username in the far-left column.

If it is determined that a server is compromised, Sangoma recommends restoring from backups created prior to August 21, deploying the patched modules on fresh systems, and rotating all system and SIP-related credentials.

Administrators should also review call records and phone bills for signs of abuse, especially unauthorized international traffic.

Those with exposed FreePBX ACP interfaces may already be compromised, and the company urges administrators to investigate their installations and secure systems until a fix can be applied.