FreePBX
aka Sangoma, PBXact, Asterisk GUI
PHP web admin GUI for the Asterisk PBX, common on VoIP appliances (Sangoma Linux). Config files store DB and AMI credentials in cleartext, and the web root often runs writable by the asterisk user.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | admin GUI, redirects to /admin |
443 | tcp | admin GUI over TLS |
5038 | tcp | Asterisk Manager Interface (AMI) |
5060 | udp | SIP signalling |
Fingerprint
- TLS certificate CN like pbxconnect, emailAddress root@<host>
- Asset URLs leak the build, e.g. ?load_version=16.0.40.7
- robots.txt references /www/images/ and the FreePBX GUI boilerplate
- /admin/config.php presents the FreePBX administrator login form
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/freepbx.conf | DB credentials (AMPDBUSER / AMPDBPASS) for the asterisk database | sensitive |
/etc/asterisk/manager.conf | AMI usernames and secrets in cleartext | sensitive |
/etc/asterisk/manager_additional.conf | additional AMI secrets | sensitive |
/etc/amportal.conf | legacy FreePBX config, can also hold DB creds | sensitive |
/var/www/html/admin/modules/ | module code, frequently owned and writable by asterisk | |
/etc/incron.d/ | root incron hooks that watch asterisk-writable paths | |
/var/lib/asterisk/ | AGI scripts, sounds, and the job spool |
Default / weak creds
admin / admin (default on some fresh installs)DB user freepbxuser (password lives in /etc/freepbx.conf)
Service users
asterisk (uid 999)
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2025-57819 | Unauthenticated SQL injection in the commercial endpoint module, leading to admin takeover and RCE |
| CVE-2021-4045 | Restapps module unauthenticated remote code execution |
| CVE-2019-19006 | Authentication bypass granting remote admin access |
Exploitation primitives
- Write a row into the cron_jobs table: the asterisk crontab runs fwconsole job --run every minute and executes it as asterisk
- AMI Action: Originate with Application: System (or Exec) runs system commands as asterisk
- As GUI admin: Config Edit, System Recordings, module upload and backup restore all give code exec as asterisk
- Privesc: a root incron hook (sysadmin_ha) does require_once on a PHP file under the asterisk-writable web root, so plant the file and trigger the hook
Overview
FreePBX is a PHP front end for the Asterisk PBX, usually shipped on Sangoma Linux appliances. The web root is commonly owned by the asterisk user, and several config files store credentials in cleartext, so a foothold tends to come from a module vulnerability and the privesc from a root process that trusts an asterisk-writable path.
Enumeration
Follow the redirect to /admin:
curl -sk -I https://<TARGET>/Leak the build number from the asset version:
curl -sk https://<TARGET>/admin/config.php | grep load_versionPull the exact build from the asset load_version value, then match it against the CVE list above.
Foothold options
- Module CVEs (for example CVE-2025-57819, an unauthenticated SQL injection in the endpoint module) give admin takeover or direct RCE.
- With admin access, the GUI has many code-exec primitives (Config Edit, System Recordings, module upload, backup restore), all running as
asterisk. - A stacked SQL write into
cron_jobsis picked up byfwconsole job --runand executed asasteriskwithin a minute.
Credentials to loot
Database credentials:
cat /etc/freepbx.confAMI user and secret (cleartext):
cat /etc/asterisk/manager.confDump the GUI admin hashes — on every FreePBX the DB user is freepbxuser, the database is asterisk and the admin table is ampusers (the password is the AMPDBPASS from /etc/freepbx.conf above):
mysql -ufreepbxuser -p'<AMPDBPASS>' asterisk -e 'SELECT username,password_sha1 FROM ampusers;'The ampusers passwords are unsalted SHA-1, so a single leaked row is straight to a crack or a login.
Privilege escalation
Check /etc/incron.d/ for root hooks watching asterisk-writable paths. The classic is sysadmin_ha, which does require_once on a PHP file under /var/www/html/admin/modules/freepbx_ha/ (often missing, and the web root is asterisk-owned). Create that file with your own class, then write the watched trigger to make the root daemon run your code.
Hardening
Patch the endpoint and restapps modules, never expose the admin GUI to untrusted networks, restrict AMI (5038) to localhost, and ensure the PHP runtime user cannot write /var/www/html/admin/modules.
Seen on these machines 1
