Security Intelligence
Loading table of contents...
Sangoma is currently investigating malicious activity targeting FreePBX systems, with attacks observed as early as August 21, 2025. The activity specifically affects deployments where the Administrator Control Panel (ACP) is exposed to the public internet.
FreePBX is an open-source Private Branch Exchange (PBX) system widely used by managed service providers, call centers, and enterprise voice infrastructure teams.
In an update posted to the FreePBX community forum on August 26, Sangoma’s security team confirmed that a fix is actively being developed. In the interim, Sangoma has released an EDGE module update, a pre-release testing stream that allows administrators to access early versions of module updates before they are pushed to the stable release.
EDGE is intended to provide immediate protection, though it may not be fully vetted for production environments. Sangoma also noted that while the EDGE fix can protect future installations from compromise, it does not remediate systems already impacted by the exploit.
In the meantime, users are strongly advised to restrict access to the ACP by configuring the FreePBX Firewall module to allow connections only from known and trusted hosts. This interim measure is critical to reducing exposure while the patch is finalized and rolled out.
FreePBX systems running versions 16 or 17 may be vulnerable if they have the Endpoint Manager module installed and their ACP is exposed to the internet.
Administrators can test the EDGE release using specific fwconsole commands, depending on their version and whether they are using PBXAct appliances. However, some users have reported that expired support contracts may prevent installation of the EDGE update, leaving affected systems unprotected.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Analyst insight
The issue underscores the need for strict segmentation of voice infrastructure, routine exposure assessments, and proactive patch management, especially for systems with internet-facing components.
The immediate priority for the systems with the Endpoint Manager module installed and ACP exposed to the internet is to contain exposure by restricting public access to the FreePBX ACP.
Follow Sangoma's recommendations to use the built-in FreePBX Firewall to limit access to trusted IP ranges or place the PBX behind a virtual private network (VPN). If firewall controls are not in place, ACP access should be disabled until the full security patch is deployed. The EDGE module update offers temporary protection for new installations, but it does not remediate compromised systems.
Organizations are advised to audit all FreePBX deployments for signs of compromise, including unauthorized admin accounts, suspicious POST requests to modular.php, and unexpected shell scripts. If compromise is suspected, restoring from clean backups dated before August 21 is advised. Organizations may consider credential rotation across SIP trunks, voicemail, and user portals.
Monitor for the patch release on the community channel and apply updates once available.
.jpg)
.jpg)