top of page
Search

Sangoma FreePBX Vulnerability Exploited, Impacts Over 900 Instances

  • Mar 1
  • 2 min read

Key Findings


  • About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw.

  • Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025.

  • The campaign exploited a post-authentication command injection vulnerability, tracked as CVE-2025-64328 (CVSS score of 8.6), in the endpoint manager interface.

  • The Shadowserver Foundation reports that around 900 FreePBX instances are still compromised and running web shells, likely due to exploitation of CVE-2025-64328.

  • About 400 affected systems are located in the United States, with dozens more in countries including Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.

  • In January, FortiGuard Labs identified a new web shell dubbed "EncystPHP," capable of remote command execution, persistence, and further web shell deployment.

  • Researchers link the activity to the threat group INJ3CTOR3, known for targeting past vulnerabilities in FreePBX and Elastix systems.

  • Attackers delivered the EncystPHP dropper from 45.234.176.202, exploiting CVE-2025-64328 in FreePBX.

  • The dropper performed various malicious activities, including locking key files, harvesting database configs, deleting cron jobs and user accounts, and deploying additional web shells.

  • In early February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw in Sangoma FreePBX to its Known Exploited Vulnerabilities (KEV) catalog.


Background


Sangoma FreePBX is an open-source, web-based platform for managing Asterisk-powered VoIP phone systems. Maintained by Sangoma Technologies, it allows businesses to configure extensions, call routing, voicemail, IVR menus, and SIP trunks through an easy-to-use interface.


Vulnerability and Exploitation


The campaign exploited a post-authentication command injection vulnerability, tracked as CVE-2025-64328 (CVSS score of 8.6), in the endpoint manager interface of Sangoma FreePBX. This vulnerability allowed attackers to execute malicious commands and maintain persistent access to compromised systems.


Affected Systems and Locations


The Shadowserver Foundation reports that around 900 FreePBX instances are still compromised and running web shells, likely due to exploitation of CVE-2025-64328 in the endpoint manager. About 400 affected systems are located in the United States, with dozens more in countries including Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands, and smaller numbers spread across other regions.


Threat Actor and Malware


In January, FortiGuard Labs identified a new web shell dubbed "EncystPHP," capable of remote command execution, persistence, and further web shell deployment. The attacks began in early December and exploited the flaw CVE-2025-64328. Researchers link the activity to the threat group INJ3CTOR3, known for targeting past vulnerabilities in FreePBX and Elastix systems.


Attacker Tactics and Techniques


Attackers delivered the EncystPHP dropper from 45.234.176.202, exploiting CVE-2025-64328 in FreePBX. Once installed, the malware locked key files, harvested database configs, deleted cron jobs and user accounts, and removed rival web shells. It created a root-level user, reset passwords, injected an SSH key, and ensured port 22 stayed open for persistent access. The dropper also fetched additional payloads, erased logs, removed the Endpoint Manager module, restored permissions to avoid detection, and deployed Base64-encoded web shells to maintain long-term control.


Response and Remediation


In early February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw in Sangoma FreePBX to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the importance of addressing this issue. Users of Sangoma FreePBX are advised to update their systems to the latest version, which addresses the CVE-2025-64328 vulnerability.


Sources


  • https://securityaffairs.com/188679/uncategorized/cve-2025-64328-exploitation-impacts-900-sangoma-freepbx-instances.html

  • https://unsafe.sh/go-398495.html

  • https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html

  • https://www.securityweek.com/900-sangoma-freepbx-instances-infected-with-web-shells/

  • https://www.reddit.com/r/pwnhub/comments/1rgkjxp/over_900_sangoma_freepbx_instances_compromised_in/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page