A critical vulnerability in Sangoma's FreePBX, tracked as CVE-2025-57819, is being actively exploited in the wild, posing a severe risk to systems running versions 15, 16, and 17 of the software. This flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers to manipulate databases and execute arbitrary code remotely. The vulnerability arises from insufficiently sanitized user inputs, which can be leveraged to gain unauthorized access to the FreePBX Administrator interface.
The flaw was disclosed on August 28, 2025, and was quickly added to CISA's Known Exploited Vulnerabilities (KEV) catalog the following day. The speed of exploitation is notable, with threat actors beginning to exploit the vulnerability within hours of its disclosure, highlighting a TTE (time to exploit) of just 0.3 days.
The exploitation of this vulnerability is facilitated by the availability of a working exploit and multiple proof-of-concept (PoC) scripts, which have been circulating among threat actors. The Exploit Prediction Scoring System (EPSS) assigns a high likelihood of exploitation, with a score of 0.705, underscoring the urgency for organizations to address this issue.
FreePBX is a widely used open-source web-based graphical user interface for managing voice over IP (VoIP) services, making this vulnerability particularly concerning for enterprises relying on these systems for communication. The Security Severity Vulnerability Classification (SSVC) recommends immediate action to mitigate the risk.
Organizations using FreePBX are urged to apply available patches or implement workarounds to protect their systems from potential attacks. Given the critical nature of this vulnerability and its active exploitation, swift action is essential to safeguard sensitive communications and data.
CSURFACE