Merge pull request #13021 from darses/patch-52

Update FreePBX-panel and add freepbx-cleanup-backdoor

http/exposed-panels/freepbx-administration-panel.yaml

@@ -2,9 +2,10 @@ id: freepbx-administration-panel
 
 info:
   name: FreePBX Admin Panel - Detect
-  author: tess
+  author: tess,darses
   severity: info
-  description: FreePBX admin panel was detected.
+  description: |
+    FreePBX admin panel was detected.
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cwe-id: CWE-200
@@ -15,26 +16,28 @@ info:
     vendor: sangoma
     product: freepbx
     shodan-query:
-      - http.title:"FreePBX Administration"
-      - http.title:"freepbx administration"
-    fofa-query: title="freepbx administration"
-    google-query: intitle:"freepbx administration"
+      - http.title:"FreePBX"
+      - http.favicon.hash:-1908328911
+      - http.favicon.hash:1574423538
+    fofa-query:
+      - title="FreePBX"
+      - icon_hash="-1908328911"
+      - icon_hash="1574423538"
   tags: freepbx,panel,sangoma
 
 http:
   - method: GET
     path:
-      - '{{BaseURL}}/admin/config.php#'
+      - '{{BaseURL}}/admin/config.php'
 
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - 'FreePBX Administration'
-          - 'Operator Panel'
-          - 'User Control Panel'
-        condition: and
+          - "<title>FreePBX"
+          - "FreePBX</title>"
+        condition: or
 
       - type: word
         part: header
@@ -44,4 +47,10 @@ http:
       - type: status
         status:
           - 200
-# digest: 4a0a00473045022100e03c56506b0dc648505660fca52f7d0e0a8cb7f2004d8623370cf6de781d24ed02200323dac46adb49f48df6e11073d6fd740a56c0ba269f16bd1da72dbd4e1c6321:922c64590222798bb761d5b6d8e72950
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'FreePBX\s+([\d\.]+)\s+'

http/vulnerabilities/backdoor/freepbx-cleanup-backdoor.yaml

@@ -0,0 +1,49 @@
+id: freepbx-cleanup-backdoor
+
+info:
+  name: FreePBX - CVE-2025-57819 Backdoor
+  severity: high
+  author: darses
+  description: |
+    FreePBX backdoor cleanup script used in 0-day exploitation of CVE-2025-57819 was detected.
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: sangoma
+    product: freepbx
+    shodan-query:
+      - http.title:"FreePBX"
+      - http.favicon.hash:-1908328911
+      - http.favicon.hash:1574423538
+    fofa-query:
+      - title="FreePBX"
+      - icon_hash="-1908328911"
+      - icon_hash="1574423538"
+  reference:
+    - https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
+  tags: backdoor,sangoma,freepbx
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.clean.sh"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "LOGS"
+          - "Processing file"
+          - "sed -i --follow-symlinks"
+          - "/var/log/asterisk/freepbx_security.log"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: kval
+        part: header
+        kval:
+          - last_modified

workflows/freepbx-workflow.yaml

@@ -0,0 +1,11 @@
+id: freepbx-workflow
+
+info:
+  name: Freepbx Security Checks
+  author: darses
+  description: A simple workflow that runs all FreePBX related nuclei templates on a given target.
+
+workflows:
+  - template: http/exposed-panels/freepbx-administration-panel.yaml
+    subtemplates:
+      - tags: freepbx