The Sangoma FreePBX Security Team has issued an urgent warning about an actively exploited zero-day vulnerability affecting systems with the Administrator Control Panel (ACP) exposed online. FreePBX, a widely used open-source PBX platform built on Asterisk, powers critical communications for businesses, call centers, and service providers. Since August 21, attackers have been leveraging the flaw to compromise systems, allowing arbitrary command execution under the Asterisk user.
The FreePBX ACP admin panel. Source: youtube.com/watch?v=HBR99zqixec.
Sangoma has released an EDGE module fix for testing, with a full security release expected shortly. However, the temporary patch is not retroactive and cannot remediate already compromised systems. Administrators unable to install the EDGE update—particularly those with expired support contracts—are urged to immediately restrict ACP access to trusted hosts or block it entirely until the full patch is released.
Reports from affected users highlight the severity of the attacks. One customer stated that multiple servers were breached, impacting over 3,000 SIP extensions and 500 trunks, while others confirmed that the exploit grants attackers broad command execution capabilities. Indicators of compromise include missing or altered FreePBX configuration files, the presence of a malicious shell script (.clean.sh), suspicious Apache log entries, abnormal Asterisk calls to extension 9998, and unauthorized database users.
Sangoma advises administrators to check for these IOCs, restore systems from backups dated before August 21, deploy patched modules on clean installations, and rotate all system and SIP credentials. Additionally, they recommend monitoring call records and phone bills for unauthorized international traffic—often a telltale sign of telephony abuse following PBX compromises.
Healthcare organizations relying on FreePBX for patient communications, telehealth services, or internal coordination should treat this zero-day with high urgency. Exposed ACPs must be locked down immediately, and systems should be inspected for compromise indicators. Given healthcare’s heightened risk from disruptions and fraud, security teams should enforce network segmentation for PBX systems, maintain regular offline backups, and closely monitor telecom activity to detect abnormal patterns. Proactive patching and strict access controls are essential to prevent exploitation that could jeopardize both patient privacy and critical service availabili
