A critical, unauthenticated SQL injection vulnerability in FreePBX is being actively exploited, posing a severe risk to VoIP infrastructures worldwide. Attackers are abusing a web endpoint to inject database entries, create scheduled tasks, and ultimately run arbitrary code on compromised systems.
What is affected, and why it matters
FreePBX, the web-based administrative interface commonly used with the Asterisk PBX platform, exposes endpoints that manage telephony settings and scheduled tasks. Vulnerable FreePBX versions include 15, 16, and 17, and the flaw enables unauthenticated actors to bypass protections, alter database records, and achieve remote code execution, potentially leading to full system compromise. This vulnerability has been tracked as CVE-2025-57819.
How the exploit works, in plain terms
Attackers send specially crafted HTTP GET requests to the FreePBX ajax.php endpoint, targeting a parameter named brand. Because input validation is insufficient, the supplied value can include SQL payloads, which are executed by the database. Adversaries have used this vector to insert malicious rows into the cron_jobs table, which FreePBX uses to schedule system or maintenance tasks. By adding a cron job that writes a PHP file to the web root, then scheduling it to run, threat actors can execute system commands on the host.
Example of the attack pattern
A representative exploit uses a GET request that injects an SQL INSERT statement into cron_jobs, including a base64 encoded command. Once decoded and executed by the scheduled job, the payload writes a PHP script that runs system commands, then removes itself to reduce forensic traces. This sequence turns a database manipulation into direct code execution, and it provides persistence via scheduled tasks. Security analysts have observed real-world attempts using this method.
Observed impact and activity
Multiple incident response and threat intelligence teams, along with public security advisories, have confirmed active exploitation of CVE-2025-57819, with widespread scanning and mass exploitation attempts reported since the disclosure. The vulnerability carries a very high severity rating, and public exploit code and detection signatures have appeared in community tooling and template repositories.
Mitigation, detection, and recommended actions
1, Patch immediately, update FreePBX endpoint packages to patched releases, these include 15.0.66, 16.0.89, and 17.0.3 or later.
2, If you cannot patch right away, block or restrict access to the FreePBX web interface, at minimum limit access to management ports by IP allow lists, and put the admin interface behind a VPN or bastion host.
3, Inspect cron_jobs and web root directories for unexpected entries or files, especially files created recently that contain base64 decoded payloads, and check for scheduled tasks that match attacker patterns.
4, Review web server and application logs for suspicious GET requests to ajax.php that include injection patterns or unusual encoding, and add IDS/IPS signatures or WAF rules to detect exploitation attempts.
5, Rotate credentials, audit accounts with administrative privileges, and rebuild compromised hosts if you confirm code execution, because attackers may have left backdoors or additional persistence mechanisms.
