Tracked as CVE-2025-57819 (CVSS score of 10/10), the bug is described as an insufficient sanitization of user-supplied data.
September 2, 2025 By Ionut Arghire
Sangoma has released emergency patches for a zero-day vulnerability exploited to hack FreePBX servers with the administrator control panel accessible from the internet.
Tracked as CVE-2025-57819 (CVSS score of 10/10), the bug is described as an insufficient sanitization of user-supplied data. Successful exploitation of the flaw allows attackers to access the FreePBX administrator panel, enabling database manipulation and remote code execution (RCE).
Fixes were rolled out for FreePBX versions 15, 16, and 17, after Sangoma discovered that the security defect had been exploited in the wild starting on or before August 21. The hacked servers had inadequate IP filtering/ACLs, as noted in a GitHub advisory.
