Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
900 FreePBX Systems Compromised by Web Shell Attacks

900 FreePBX Systems Compromised by Web Shell Attacks

Posted on February 27, 2026 By CWS

Recent reports indicate that around 900 instances of Sangoma FreePBX are compromised, remaining vulnerable due to web shell attacks. These incidents are the result of exploiting a command injection flaw, which began in December 2025.

Sangoma FreePBX Vulnerability Details

Sangoma FreePBX, an open-source graphical interface for managing Asterisk-based IP telephony, was targeted due to a vulnerability tracked as CVE-2025-64328. This critical flaw, with a CVSS score of 8.6, affects the filestore module in the endpoint manager’s administrative interface. The vulnerability was identified and patched in November 2025, yet many systems are still at risk.

Attack Exploitation and Impact

The command injection issue allows attackers with any level of user access to execute arbitrary commands and gain remote control of the system. A hacking group known as INJ3CTOR3 has been actively exploiting this vulnerability to deploy a web shell named EncystPHP. This tool provides attackers with remote execution capabilities and persistent system access.

Fortinet disclosed that INJ3CTOR3 had been using this vulnerability for over a month, leading to widespread deployment of the web shell. These activities align with known attack patterns associated with the group.

Current Status and Recommendations

The Shadowserver Foundation, a non-profit organization, has reported that around 900 FreePBX instances are still compromised, primarily through CVE-2025-64328. Most affected systems are located in the United States, with significant numbers also found in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.

To mitigate the risk, users are urged to update the filestore module to the latest version, limit administrative access to authorized personnel, and block known malicious access sources. Additionally, the US cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities list, highlighting its critical nature.

Related cybersecurity threats include the Aeternum Botnet Loader and SystemBC infections, emphasizing the need for vigilance and timely updates.

Security Week News Tags:CISA, CVE-2025-64328, Cybersecurity, Fortinet, FreePBX, INJ3CTOR3, Sangoma, Shadowserver Foundation, Vulnerability, web shell

Post navigation

Previous Post: ScarCruft Exploits Zoho WorkDrive for Air-Gapped Network Breach
Next Post: Critical FreeBSD Flaw Risks System Security Breach

Related Posts

2 Venezuelans Convicted in US for Using Malware to Hack ATMs 2 Venezuelans Convicted in US for Using Malware to Hack ATMs Security Week News
Salesloft GitHub Account Compromised Months Before Salesforce Attack Salesloft GitHub Account Compromised Months Before Salesforce Attack Security Week News
US Posts  Million Bounty for Iranian Hackers US Posts $10 Million Bounty for Iranian Hackers Security Week News
900 FreePBX Systems Compromised by Web Shell Attacks React2Shell Exploitation: Large-Scale Attack Exposes Credentials Security Week News
F5 to Acquire CalypsoAI for 0 Million F5 to Acquire CalypsoAI for $180 Million Security Week News
Researchers Trap Scattered Lapsus$ Hunters in Honeypot Researchers Trap Scattered Lapsus$ Hunters in Honeypot Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security
  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security
  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark