900 FreePBX Systems Compromised by Web Shell Attacks

900 FreePBX Systems Compromised by Web Shell Attacks

Posted on By CWS

Recent reports indicate that around 900 instances of Sangoma FreePBX are compromised, remaining vulnerable due to web shell attacks. These incidents are the result of exploiting a command injection flaw, which began in December 2025.

Sangoma FreePBX Vulnerability Details

Sangoma FreePBX, an open-source graphical interface for managing Asterisk-based IP telephony, was targeted due to a vulnerability tracked as CVE-2025-64328. This critical flaw, with a CVSS score of 8.6, affects the filestore module in the endpoint manager’s administrative interface. The vulnerability was identified and patched in November 2025, yet many systems are still at risk.

Attack Exploitation and Impact

The command injection issue allows attackers with any level of user access to execute arbitrary commands and gain remote control of the system. A hacking group known as INJ3CTOR3 has been actively exploiting this vulnerability to deploy a web shell named EncystPHP. This tool provides attackers with remote execution capabilities and persistent system access.

Fortinet disclosed that INJ3CTOR3 had been using this vulnerability for over a month, leading to widespread deployment of the web shell. These activities align with known attack patterns associated with the group.

Current Status and Recommendations

The Shadowserver Foundation, a non-profit organization, has reported that around 900 FreePBX instances are still compromised, primarily through CVE-2025-64328. Most affected systems are located in the United States, with significant numbers also found in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.

To mitigate the risk, users are urged to update the filestore module to the latest version, limit administrative access to authorized personnel, and block known malicious access sources. Additionally, the US cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities list, highlighting its critical nature.

Related cybersecurity threats include the Aeternum Botnet Loader and SystemBC infections, emphasizing the need for vigilance and timely updates.

Security Week News Tags:, , , , , , , , ,

Related Posts

Former US Defense Contractor Executive Admits to Selling Exploits to Russia Former US Defense Contractor Executive Admits to Selling Exploits to Russia Security Week News
Anthropic Stands Firm Against Pentagon on AI Ethics Anthropic Stands Firm Against Pentagon on AI Ethics Security Week News
Romanian Hacker Admits to Selling Access to US State Network Romanian Hacker Admits to Selling Access to US State Network Security Week News
Adobe Issues Out-of-Band Patches for AEM Forms Vulnerabilities With Public PoC Adobe Issues Out-of-Band Patches for AEM Forms Vulnerabilities With Public PoC Security Week News
Langflow Vulnerability Exploited Rapidly After Disclosure Langflow Vulnerability Exploited Rapidly After Disclosure Security Week News
Cybersecurity Firms React to China’s Reported Software Ban Cybersecurity Firms React to China’s Reported Software Ban Security Week News