DIVD-2025-00038 - Found webshells in FreePBX due to RCE vulnerability
| Our reference | DIVD-2025-00038 |
| Case lead | Stan Plasmeijer |
| Author | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Restrict access to the FreePBX administrator interface (via VPN, firewall, or access control lists). Do not expose it directly to the internet. |
| Patch status | Available |
| Status | Open |
| Last modified | 28 Aug 2025 22:50 CEST |
Summary
On 27 August 2025, the FreePBX community issued a security advisory warning of increased exploitation attempts against systems exposing their administrator web interface to the internet. This issue has been assigned CVE-2025-57819.
Attackers target the /admin panel of FreePBX to obtain unauthorized access. If successful, exploitation may lead to remote code execution, privilege escalation, or full system compromise. The advisory highlights that the root problem is the unsafe exposure of the administrator interface, rather than a single patchable flaw.
What you can do
To mitigate CVE-2025-57819, administrators should:
- Restrict access to the FreePBX administration interface:
- Block access from the public Internet.
- Limit exposure to trusted IPs using firewall rules.
- Place the admin interface behind a VPN or secure bastion host.
- Apply updates to all FreePBX modules and the system itself.
- Monitor logs for brute-force attempts and suspicious login activity.
What we are doing
DIVD is investigating the compromise of FreePBX administration interfaces and may notify affected parties. Our aim is to reduce the attack surface and support system owners in remediating the compromise.
Timeline
| Date | Description |
|---|---|
| 27 Aug 2025 | FreePBX community reports surge in exploit attempts and webshells against admin interfaces |
| 28 Aug 2025 | CVE-2025-57819 assigned for FreePBX administrator interface exposure |
| 28 Aug 2025 | DIVD scans for webshelled instances |