900 FreePBX Systems Compromised by Web Shell Attacks

900 FreePBX Systems Compromised by Web Shell Attacks

Posted on By CWS

Recent reports indicate that around 900 instances of Sangoma FreePBX are compromised, remaining vulnerable due to web shell attacks. These incidents are the result of exploiting a command injection flaw, which began in December 2025.

Sangoma FreePBX Vulnerability Details

Sangoma FreePBX, an open-source graphical interface for managing Asterisk-based IP telephony, was targeted due to a vulnerability tracked as CVE-2025-64328. This critical flaw, with a CVSS score of 8.6, affects the filestore module in the endpoint manager’s administrative interface. The vulnerability was identified and patched in November 2025, yet many systems are still at risk.

Attack Exploitation and Impact

The command injection issue allows attackers with any level of user access to execute arbitrary commands and gain remote control of the system. A hacking group known as INJ3CTOR3 has been actively exploiting this vulnerability to deploy a web shell named EncystPHP. This tool provides attackers with remote execution capabilities and persistent system access.

Fortinet disclosed that INJ3CTOR3 had been using this vulnerability for over a month, leading to widespread deployment of the web shell. These activities align with known attack patterns associated with the group.

Current Status and Recommendations

The Shadowserver Foundation, a non-profit organization, has reported that around 900 FreePBX instances are still compromised, primarily through CVE-2025-64328. Most affected systems are located in the United States, with significant numbers also found in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.

To mitigate the risk, users are urged to update the filestore module to the latest version, limit administrative access to authorized personnel, and block known malicious access sources. Additionally, the US cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities list, highlighting its critical nature.

Related cybersecurity threats include the Aeternum Botnet Loader and SystemBC infections, emphasizing the need for vigilance and timely updates.

Security Week News Tags:, , , , , , , , ,

Related Posts

Weaponized Invite Enabled Calendar Data Theft via Google Gemini Weaponized Invite Enabled Calendar Data Theft via Google Gemini Security Week News
RapperBot Botnet Disrupted, American Administrator Indicted RapperBot Botnet Disrupted, American Administrator Indicted Security Week News
Code Execution Flaws Haunt Adobe Acrobat Reader, Adobe Commerce Code Execution Flaws Haunt Adobe Acrobat Reader, Adobe Commerce Security Week News
ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid Security Week News
Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery Security Week News
Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover  Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover  Security Week News