FreePBX is an open-source PBX system built on Asterisk, providing a web-based admin interface for easier management. A newly disclosed vulnerability, CVE-2025-57819, is a SQL injection flaw in the admin interface that allows attackers to manipulate the backend database. Specifically, the injection occurs via the 'brand' parameter in a GET request to the ajax.php endpoint. Attackers exploit this to insert malicious entries into the 'cron_jobs' database table, which FreePBX uses to manage scheduled tasks. The injected cron job executes a base64-decoded PHP payload that creates a PHP file (/var/www/html/rspgf.php) on the server. This PHP file runs shell commands (e.g., 'uname -a') and deletes itself after execution, but the cron job recreates it every minute, ensuring persistence. This results in arbitrary code execution on the server with the privileges of the web server user. Such access can be leveraged to manipulate call routing, perform toll fraud, impersonate legitimate users, or pivot deeper into the network. Although no widespread exploitation has been detected in honeypots, the vulnerability was publicly disclosed on August 28, 2025, and exploitation attempts have been observed. The lack of authentication requirements and the ability to maintain persistence make this a critical threat vector for organizations relying on FreePBX. The vulnerability underscores the importance of securing administrative interfaces and monitoring database integrity. No official patch links were provided at the time of reporting, but users are urged to update FreePBX and audit their cron_jobs tables for suspicious entries.

For European organizations, the impact of this vulnerability is significant due to the widespread use of FreePBX in enterprise telephony systems. Successful exploitation can lead to full compromise of the PBX server, enabling attackers to intercept, manipulate, or reroute calls, potentially leading to toll fraud and financial losses. The ability to execute arbitrary code also opens the door to lateral movement within corporate networks, data exfiltration, and disruption of critical communication infrastructure. Telecom providers and enterprises relying heavily on VoIP systems are particularly vulnerable, as compromised PBX systems can undermine trust and operational continuity. Additionally, the persistence mechanism via cron jobs complicates remediation and increases the risk of prolonged undetected compromise. Given the strategic importance of telecommunications in sectors such as finance, government, and critical infrastructure across Europe, this vulnerability poses a high risk to confidentiality, integrity, and availability of communications.

European organizations should immediately audit their FreePBX installations for signs of compromise, focusing on the 'cron_jobs' database table for unauthorized entries. Implement network segmentation to isolate PBX systems from broader corporate networks to limit lateral movement. Restrict administrative interface access using VPNs, IP whitelisting, or multi-factor authentication to reduce exposure. Monitor web server logs and cron job executions for unusual activity, including unexpected PHP files or recurring cron jobs. Apply the latest FreePBX updates and patches as soon as they become available. If patches are not yet released, consider temporarily disabling or restricting access to the vulnerable admin modules. Employ web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the FreePBX interface. Regularly back up PBX configurations and databases to enable recovery from compromise. Finally, conduct user awareness training to recognize signs of PBX misuse and implement incident response plans specific to telephony infrastructure.