Sangoma FreePBX Authentication Bypass RCE

FreePBX, the widely deployed open-source web-based GUI for managing Asterisk PBX systems, is vulnerable to an authentication bypass that leads to unauthenticated remote code execution.

Versions 15, 16, and 17 are affected. Attackers can manipulate database queries to gain full read/write access, escalate to administrator privileges without credentials, and take complete control of the system. A Rapid Response test proved the target asset was exploitable to the FreePBX vulnerability in just 3 minutes.

This vulnerability has a CVSS score of 10.0 (Critical) and has been actively exploited in the wild since August 21, 2025.

Technical Details

• Vulnerability Type: Authentication Bypass → SQL manipulation → Remote Code Execution (RCE)
• Affected Versions: 15, 16, 17
• Patched Versions: 15.0.66, 16.0.89, 17.0.3
• Impact:
  • Unauthenticated attacker gains full administrator-level access
  • Modification of call routing, voicemail, and PBX configurations
  • Potential pivot deeper into enterprise networks

Mitigations

Immediate Actions:

• Restrict and lock down admin interfaces.
• Upgrade to patched versions: 15.0.66, 16.0.89, 17.0.3.

Ongoing Defense:

• Run NodeZero Rapid Response to confirm exploitability across your environment.
• Monitor external assets for exposure to this vulnerability.
• Take action to look for indicators of compromise by following the recommended actions by the vendor

Rapid Response N-Day Testing