The Sangoma FreePBX Security Team disclosed an actively exploited zero-day vulnerability in FreePBX systems with exposed Administrator Control Panels (ACP). Attackers breached servers since August 21, executing arbitrary commands via the Asterisk user privileges. Multiple customers reported compromises, including 3,000 SIP extensions and 500 trunks affected in one case. Indicators of compromise (IOCs) included modified `/etc/freepbx.conf`, malicious shell scripts (`/var/www/html/.clean.sh`), suspicious Apache logs (`modular.php`), unauthorized calls to extension 9998, and rogue entries in the MariaDB/MySQL `ampusers` table.Victims faced unauthorized international call traffic, potential credential theft, and system takeover. Sangoma urged admins to block ACP access, restore from pre-August 21 backups, rotate all SIP/system credentials, and deploy an EDGE module patch (though expired support contracts left some systems unprotected). The flaw’s exploitation led to full server breaches, financial fraud via telephony abuse, and operational disruption for businesses relying on FreePBX for voice communications. The attack vector leveraged exposed administrative interfaces, highlighting critical gaps in default security configurations.

On May 21, 2025, the Maine Attorney General's Office reported a data breach involving Sangoma Technologies Inc. The breach occurred between October 23 and October 24, 2024, due to unauthorized access to NetFortris systems, affecting approximately 889 individuals. The compromised information included personal details of current and former employees, contractors, and applicants.

Critical FreePBX Vulnerability Exposes User Portals to Unauthenticated Attacks A severe security flaw in the open-source IP PBX platform FreePBX (CVE-2026-46376) allows unauthenticated attackers to gain access to user portals via hard-coded credentials in the User Control Panel (UCP). The vulnerability affects FreePBX versions prior to 16.0.45 and 17.0.7, stemming from default credentials embedded in the userman module’s generic template during setup. The issue arises when administrators fail to modify default credentials after deployment, leaving systems exposed. Attackers can exploit this flaw without prior access, privileges, or user interaction, making it particularly dangerous in exposed environments. Classified under CWE-798 (Use of Hard-coded Credentials), the vulnerability carries a CVSS v4 score of 9.1 (Critical) due to its low-complexity, network-based attack vector. Successful exploitation could lead to: - Unauthorized access to user accounts via the UCP. - Exposure of sensitive data. - Manipulation of user settings and configurations. The flaw was introduced in a 2021 code change and publicly disclosed under advisory GHSA-m55x-h47x-v3gx by researcher chrsmj, with remediation developed by Sangoma. FreePBX has released patches version 16.0.45+ for FreePBX 16 and 17.0.7+ for FreePBX 17 to address the issue. Organizations are urged to audit deployments for unmodified default credentials and implement additional security measures, such as restricting UCP/ACP access via VPN, MFA, or IP-based restrictions. The incident highlights the risks of insecure default configurations in enterprise systems.

The data from Sangoma Technologies Corporation was breached in the Conti ransomware attack. The gang published over 26 GB of the stolen data including the company's accounting, financials, acquisitions, employee benefits and salary, and legal documents on their data leak site.