The Shadowserver Foundation has disclosed a significant cybersecurity incident affecting over 900 Sangoma FreePBX systems worldwide. These systems have been compromised by web shells, a direct consequence of a command injection vulnerability that began being exploited in December 2025.
Widespread Impact of the Vulnerability
The majority of the affected FreePBX instances are distributed globally, with 401 located in the United States, followed by Brazil, Canada, Germany, and France. The exploitation of this vulnerability, identified as CVE-2025-64328 with a CVSS score of 8.6, allows attackers to execute arbitrary shell commands post-authentication.
An advisory from FreePBX in November 2025 highlighted the potential for remote access through this flaw, particularly affecting users with access to the FreePBX Administration panel. This exploit could grant unauthorized access to the system, enabling harmful activities.
Version Vulnerability and Mitigation Steps
Vulnerable versions include FreePBX 17.0.2.36 and newer, with a fix available in version 17.0.3. To mitigate risks, it’s crucial to implement security controls ensuring that only authorized personnel can access the FreePBX Administrator Control Panel. Additional precautions include restricting ACP access from untrusted networks and updating the filestore module promptly.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the active exploitation of this vulnerability, adding it to their Known Exploited Vulnerabilities (KEV) list, emphasizing the need for immediate action.
Exploitation by Threat Actors
A report by Fortinet FortiGuard Labs ties the exploitation to a cybercriminal group known as INJ3CTOR3. This group has been using CVE-2025-64328 since early December 2025 to install a web shell named EncystPHP. This shell operates with elevated privileges, allowing arbitrary commands and initiating outbound calls via the PBX system.
To safeguard against these ongoing threats, FreePBX users are strongly advised to upgrade their systems to the latest version immediately. Staying updated is critical in preventing further exploitation and securing network environments.
As cyber threats continue to evolve, maintaining up-to-date security measures and monitoring systems for vulnerabilities are essential steps for protecting sensitive information and infrastructure.
