Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
900 FreePBX Systems Compromised by Web Shell Attacks

900 FreePBX Systems Compromised by Web Shell Attacks

Posted on February 27, 2026 By CWS

Recent reports indicate that around 900 instances of Sangoma FreePBX are compromised, remaining vulnerable due to web shell attacks. These incidents are the result of exploiting a command injection flaw, which began in December 2025.

Sangoma FreePBX Vulnerability Details

Sangoma FreePBX, an open-source graphical interface for managing Asterisk-based IP telephony, was targeted due to a vulnerability tracked as CVE-2025-64328. This critical flaw, with a CVSS score of 8.6, affects the filestore module in the endpoint manager’s administrative interface. The vulnerability was identified and patched in November 2025, yet many systems are still at risk.

Attack Exploitation and Impact

The command injection issue allows attackers with any level of user access to execute arbitrary commands and gain remote control of the system. A hacking group known as INJ3CTOR3 has been actively exploiting this vulnerability to deploy a web shell named EncystPHP. This tool provides attackers with remote execution capabilities and persistent system access.

Fortinet disclosed that INJ3CTOR3 had been using this vulnerability for over a month, leading to widespread deployment of the web shell. These activities align with known attack patterns associated with the group.

Current Status and Recommendations

The Shadowserver Foundation, a non-profit organization, has reported that around 900 FreePBX instances are still compromised, primarily through CVE-2025-64328. Most affected systems are located in the United States, with significant numbers also found in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.

To mitigate the risk, users are urged to update the filestore module to the latest version, limit administrative access to authorized personnel, and block known malicious access sources. Additionally, the US cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities list, highlighting its critical nature.

Related cybersecurity threats include the Aeternum Botnet Loader and SystemBC infections, emphasizing the need for vigilance and timely updates.

Security Week News Tags:CISA, CVE-2025-64328, Cybersecurity, Fortinet, FreePBX, INJ3CTOR3, Sangoma, Shadowserver Foundation, Vulnerability, web shell

Post navigation

Previous Post: ScarCruft Exploits Zoho WorkDrive for Air-Gapped Network Breach
Next Post: Critical FreeBSD Flaw Risks System Security Breach

Related Posts

MIND Raises  Million for Data Loss Prevention MIND Raises $30 Million for Data Loss Prevention Security Week News
Palo Alto Networks Fixes Critical Security Flaws Palo Alto Networks Fixes Critical Security Flaws Security Week News
US Sanctions Philippine Company for Supporting Crypto Scams US Sanctions Philippine Company for Supporting Crypto Scams Security Week News
Cyberattack Breaches Novo Nordisk’s IT Systems Cyberattack Breaches Novo Nordisk’s IT Systems Security Week News
Cal Water Probes Alleged Iranian Hacker Breach Cal Water Probes Alleged Iranian Hacker Breach Security Week News
Klue Data Breach Expands Amidst Hacker Dispute Klue Data Breach Expands Amidst Hacker Dispute Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark