The Shadowserver Foundation revealed that more than 900 Sangoma FreePBX instances remain infected with web shells as part of an attack that exploits a command injection vulnerability starting in December 2025.
Of these, 401 are in the United States, followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France.
The nonprofit said the breach was likely accomplished by exploiting CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could allow post-authentication command injection.
“The impact is that a user with access to the FreePBX administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host. An attacker could leverage this to gain remote access to the system as the Asterisk user,” FreePBX said in a November 2025 advisory about the flaw.
This vulnerability affects FreePBX versions 17.0.2.36 and later. This issue was resolved in version 17.0.3. As a mitigation, we recommend adding security controls to ensure that only authorized users can access the FreePBX Administrator Control Panel (ACP), restricting access to the ACP from hostile networks, and updating the Filestore module to the latest version.
The vulnerability has since been exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog earlier this month.
Source: Shadow Server Foundation
In a report published late last month, Fortinet FortiGuard Labs revealed that the attackers behind the cyber fraud operation, codenamed INJ3CTOR3, have been exploiting CVE-2025-64328 to deliver a web shell codenamed EncystPHP since early December 2025.
“By leveraging the administrative context of Elastix and FreePBX, the web shell can operate with elevated privileges, execute arbitrary commands on a compromised host, and initiate outgoing call activity through the PBX environment,” the cybersecurity firm said.
FreePBX users are encouraged to update their FreePBX deployments to the latest version as soon as possible to protect against active threats.
Source link
