Insufficiently sanitized data allows unauthenticated access to FreePBX Admin

Summary

We’re back - it’s a day, in a month, in a year - and once again, something has happened.In this week’s episode of “the Internet is made of string and there is literally no evidence to suggest otherwise”, we present even further evidence that as a species we made a fairly painful mistake when we discovered electricity - and it just got worse and worse.Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse.As these stories sometimes play out, the ruse was rumbled when pesky sysadmins started posting to the FreePBX Community Forums, complaining of broken installs and other nonsense.You decided to use FreePBX instead of Microsoft Teams, and now you have to live with the consequences.Is This A FreePBX?FreePBX is an open-source, web-based GUI that manages and controls the Asterisk VoIP phone system. Most of the code is wide open - you can spin up an appliance with a bash script or ISO and browse the PHP to your heart’s content. Some commercial add-on modules, though, are locked up behind ionCube Loader.FreePBX isn’t just a toy project either - it’s used by everyone from home lab hobbyists to MSPs to full-blown enterprises.As we’ve seen continuously - attackers love tapping communications. Earlier in 2025, the industry was overwhelmed with news about Salt Typhoon compromising telcos and lawful-interrcept systems at scale to intercept calls.A compromise of FreePBX represents the same - access to phone calls, voicemails, recordings… (and the benefit of access to a privileged and likely trusted host in an interesting environment).The Timeline Of Panic - It BeginsAs always in life, everything interesting is ruined by someone asking questions.On the 25th August 2025, someone did exactly that. The cheek!Once we traversed their whining, the user did share some interesting information - the...