Here is the thing about these articles. Asterisk, itself, doesn’t have a GUI. That means it doesn’t require or need Apache (or any web server) or PHP. So that would mean there are numerous Asterisk installs out in the world that would never be impacted by this, at all.
Conversely, FreePBX (which uses Asterisk) is GUI based and therefore uses Apache and PHP which would mean 100% of FreePBX boxes could be impacted by this. These articles fail to relate how this is being done. What attack vectors are being used? Is it a buffer overflow? Is it a SQL injection? What?!
Again, ZERO information provided. Right now FreePBX v13 and v14 are the “current” releases for FreePBX. The former uses PHP 5.3 while the latter uses PHP 5.6. What versions of FreePBX where these monitored systems running? Were they current boxes? Were they v13 or v14?
I mean come on, look at the first article. The report is based off of reporting from Feb - July of 2018! Over a year and a half ago. It even says a patch was released (but doesn’t tell you what update has the patch or what versions should be patched). So honestly, if you are a year and a half behind on your updates, you deserve a quick kick in the gonads to wake you up.
Articles like this are reckless because they promote a panic with no resolution.