900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks

The Shadowserver Foundation has disclosed that more than 900 instances of Sangoma’s FreePBX platform remain compromised with malicious web shells, following attacks that exploited a serious command injection vulnerability first identified in December 2025.

Among the infected systems, 401 are located in the United States, with others spread across Brazil (51), Canada (43), Germany (40), and France (36). The breach stems from the exploitation of CVE-2025-64328, a high-severity flaw (CVSS 8.6) allowing post-authentication command injection within FreePBX’s administrative interface.

According to FreePBX’s November 2025 advisory, any user with access to the FreePBX Administration Control Panel (ACP) could use this vulnerability to execute arbitrary shell commands on the host server. Attackers leveraging this flaw can gain remote control under the privileges of the “asterisk” user, compromising the entire telephony system.

This vulnerability affects FreePBX versions 17.0.2.36 and later, and was patched in version 17.0.3. Security recommendations include restricting ACP access to authorized personnel, limiting access from untrusted networks, and updating the filestore module to the latest version.

Due to ongoing exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) catalog as of February 2026.

Further analysis by Fortinet FortiGuard Labs revealed that a threat actor known as INJ3CTOR3 has actively abused this flaw since early December 2025 to deploy a web shell dubbed EncystPHP. The malware operates within Elastix and FreePBX administrative contexts, granting elevated privileges for arbitrary command execution and enabling attackers to initiate unauthorized outbound calls through compromised PBX systems.

FreePBX users are urged to immediately upgrade to the latest software versions and apply all security patches to prevent further breaches.

This incident highlights the critical need for continuous monitoring and swift remediation of vulnerabilities in VoIP infrastructure to thwart evolving cyber threats targeting communication platforms.