Recent reports indicate that around 900 instances of Sangoma FreePBX are compromised, remaining vulnerable due to web shell attacks. These incidents are the result of exploiting a command injection flaw, which began in December 2025.
Sangoma FreePBX Vulnerability Details
Sangoma FreePBX, an open-source graphical interface for managing Asterisk-based IP telephony, was targeted due to a vulnerability tracked as CVE-2025-64328. This critical flaw, with a CVSS score of 8.6, affects the filestore module in the endpoint manager’s administrative interface. The vulnerability was identified and patched in November 2025, yet many systems are still at risk.
Attack Exploitation and Impact
The command injection issue allows attackers with any level of user access to execute arbitrary commands and gain remote control of the system. A hacking group known as INJ3CTOR3 has been actively exploiting this vulnerability to deploy a web shell named EncystPHP. This tool provides attackers with remote execution capabilities and persistent system access.
Fortinet disclosed that INJ3CTOR3 had been using this vulnerability for over a month, leading to widespread deployment of the web shell. These activities align with known attack patterns associated with the group.
Current Status and Recommendations
The Shadowserver Foundation, a non-profit organization, has reported that around 900 FreePBX instances are still compromised, primarily through CVE-2025-64328. Most affected systems are located in the United States, with significant numbers also found in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.
To mitigate the risk, users are urged to update the filestore module to the latest version, limit administrative access to authorized personnel, and block known malicious access sources. Additionally, the US cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities list, highlighting its critical nature.
Related cybersecurity threats include the Aeternum Botnet Loader and SystemBC infections, emphasizing the need for vigilance and timely updates.
