The Sangoma FreePBX Security Team has sounded the alarm on a zero-day vulnerability affecting systems with the FreePBX Administrator Control Panel (ACP) exposed to the public internet. FreePBX, an open-source PBX platform built on Asterisk, is popular among businesses, call centers, and service providers for managing communications. Since August 21, threat actors have been actively abusing the flaw to gain access, execute arbitrary commands, and compromise core communications infrastructure.
In response, Sangoma has issued an EDGE module fix for testing, with a full security release expected within 36 hours. While this patch offers protection for new installations, it does not remediate already compromised environments. Administrators with expired support contracts may also find themselves unable to apply the update immediately, leaving exposed ACPs vulnerable. Until the full patch arrives, Sangoma recommends restricting ACP access to trusted hosts or blocking external access entirely.
The FreePBX ACP admin panel. Source: youtube.com/watch?v=HBR99zqixec.
Community reports confirm the exploit’s impact is widespread. One organization disclosed that attackers infiltrated multiple servers, affecting over 3,000 SIP extensions and 500 trunks. Others shared that the vulnerability allows adversaries to execute any command under the Asterisk user. Indicators of compromise include missing or tampered FreePBX configuration files, the presence of a .clean.sh shell script, suspicious Apache log entries, unexpected calls to extension 9998, and unauthorized database entries in the ampusers table.
Administrators are advised to investigate their systems thoroughly. Recommended steps include restoring from pre-August 21 backups, redeploying patched modules on clean systems, rotating all credentials, and reviewing call records for signs of fraud such as unauthorized international calls.
This incident underscores the danger of exposing critical admin interfaces to the public internet. Organizations should adopt a layered defense approach—enforcing strict firewall rules, applying patches quickly, and maintaining robust monitoring to detect suspicious activity. With attackers moving fast to weaponize new exploits, minimizing exposure and hardening systems before vulnerabilities are discovered is the best path to resilience.
