1.0 Introduction
Recently, The Sangoma FreePBX Security Team has released an urgent advisory on an actively exploited zero-day vulnerability affecting FreePBX systems that expose the Administrator Control Panel (ACP) to the public internet.
2.0 Impact
This vulnerability could allow an unauthorized attacker to remote code execution, arbitrary database manipulation and full system compromise
3.0 Affected Products
- FreePBX 15: Versions prior to 15.0.66
- FreePBX 16: Versions prior to 16.0.89
- FreePBX 17: Versions prior to 17.0.3
4.0 Indicators of Compromise (IOCs)
- File /etc/freepbx.conf recently modified or missing
- File /var/www/html/.clean.sh should not exist on normal systems
- POST requests to modular.php in web server logs likely not legitimate traffic
- Phone calls placed to extension 9998 in call logs and CDRs are unusual - unless previously configured
- Suspicious ampuser user in the ampusers database table or other unknown users
5.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the security update released and apply the necessary updates.
Kindly refer to the following URL: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h
Generally, Cyber999 advises users of this device to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17.30 MYT
Web: https://www.cybersecurity.my/
6.0 References