cbcvebase.
CVE-2025-57819
published 2025-08-28

CVE-2025-57819: FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-19
Exploited in the wild
EPSS
93.29%
99.8th percentile
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

Affected

6 ranges
VendorProductVersion rangeFixed in
freepbxendpoint< 15.0.6615.0.66
freepbxendpoint< 16.0.8916.0.89
freepbxendpoint< 17.0.317.0.3
sangomafreepbx>= 15.0 < 15.0.6615.0.66
sangomafreepbx>= 16.0 < 16.0.8916.0.89
sangomafreepbx>= 17.0 < 17.0.317.0.3

Detection & IOCsextracted from sources · hover to see the quote

url/admin/ajax.php
path/var/log/asterisk/freepbx_security.log
commandGET /admin/ajax.php?module=FreePBX%5Cmodules%5Cendpoint%5Cajax&command=model&template=x&model=model&brand=x'%20;INSERT%20INTO%20cron_jobs%20(modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)%20VALUES%20('sysadmin','{{username}}','echo%20%22{{cmd}}%22%7Cbase64%20-d%20%3E/var/www/html/{{filename}}.php',NULL,'*%20*%20*%20*%20*',30,1,1)%20--%20
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/admin/ajax.php"; fast_pattern; http.request_body; content:"module|3d|"; content:"command|3d|"; content:"model|3d|"; content:"template|3d|"; content:"brand|3d|"; pcre:"/^[^<]*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/i"; reference:url,labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/; reference:cve,2025-57819; classtype:attempted-admin; sid:2064717; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX ajax.php endpoint module SQL Injection Attempt (CVE-2025-57819) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/ajax.php|3f|"; fast_pattern; startswith; content:"module|3d|"; content:"command|3d|"; content:"model|3d|"; content:"template|3d|"; content:"brand|3d|"; pcre:"/^[^<]*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/i"; reference:url,labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/; reference:cve,2025-57819; classtype:attempted-admin; sid:2064719; rev:1;)
  • Probe for the backdoor cleanup script dropped during 0-day exploitation by requesting /.clean.sh and matching on keywords present in the response body.
  • Detect SQLi exploitation attempts against /admin/ajax.php by matching the EXTRACTVALUE-based error-based injection response pattern in the body.
  • The exploit inserts a cron job into the `cron_jobs` table via SQL injection to schedule a base64-decoded PHP webshell written to /var/www/html/; monitor for unexpected rows in cron_jobs with schedule '* * * * *' and commands containing base64 decode pipes.
  • The RCE payload is a self-deleting PHP webshell that emits the response header 'x_poc: CVE-2025-57819'; hunt for this header in HTTP logs as a confirmation of successful exploitation.
  • Use Shodan/FOFA favicon hashes to identify exposed FreePBX instances that may be targeted.
  • The Metasploit module exploits the FreePBX database user's ability to schedule cronjobs; monitor for new cron entries created by the database user (e.g., asterisk or freepbx DB user) as a post-exploitation indicator.
  • ·The Nuclei RCE template uses a 70-second wait (timeout 80s) before fetching the dropped PHP webshell, because the payload is executed via a cron job scheduled at '* * * * *' (every minute); detection timing must account for this delay.
  • ·The Nuclei template flow is 'http(1) || http(2) && http(3) && http(4)', meaning SQLi detection (step 1) is independent of the RCE chain (steps 2–4); operators should be aware that step 1 alone does not confirm RCE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.