In the IP-telephony ecosystem, a vulnerability in Freepbx was discovered and exploited on August 21, 2025. The community noticed a mass compromise, and similar symptoms and traces of unauthorized access began to appear on the forum. Researchers from Watchtowr Labs confirmed that the issue involved a Remote attack without authentication linked to the commercial Endpoint module and an error in the class carrier processing.
The vulnerability has been assigned the identifier CVE-2025-57819. Freepbx is a web interface for Asterisk used by both home enthusiasts and corporate systems. The consequences of this vulnerability affect not only internal panels but also access to calls, voicemail, and call records.
The first warning sign of the vulnerability was a PHP error message related to a class issue with Symfony. Shortly after, an administrator discovered a script named file.clean.sh on the server. This script selectively cleaned log files in “/var/log/*” to remove any references to web-sluts and official names before deleting itself. This type of log cleaning is typically done by attackers to erase traces and make incident analysis more difficult.
Watchtowr conducted a full analysis of the FreePBX sensor and observed changes before and after the vulnerability was exploited. They identified the vulnerable code within the Endpoint module and identified a critical relationship between the routing /admin/ajax.php and the class automation mechanism. The exploit leveraged a Class_exist test for the Module parameter, passing the line to user fpbx_framework_autoloader with standard PHP autoloading, ultimately enabling unauthorized access to the vulnerable module without authentication.
Attackers took advantage of this vulnerability to create a hidden administrator account named “ampuser” by injecting the Brand parameter into the Ampusers table. Additionally, they added an entry to the Cron_JOBS table with a standard schedule of “* * * * *”, executing malicious code once a minute through the FreePBX system utilities. Watchtowr was able to replicate this chain of events in a lab setting and published an artifact detection generator to check for traces of similar attacks.