Urgent Cybersecurity Alert: Hundreds of FreePBX Systems Under Web Shell Siege
A significant cybersecurity threat is unfolding, with over 900 Sangoma FreePBX instances currently infected by malicious web shells. This widespread compromise stems from the active exploitation of a critical command injection vulnerability, CVE-2025-64328, which began impacting systems as early as December 2025.
The Scale of the Attack: A Global Concern
The Shadowserver Foundation, a leading non-profit security organization, has brought the alarming figures to light. Their analysis reveals a global distribution of compromised systems, with the United States bearing the brunt of the attacks, accounting for 401 infected instances. Other significantly affected nations include Brazil (51 instances), Canada (43), Germany (40), and France (36), underscoring the international scope of this cyber assault.
Understanding the Critical Vulnerability: CVE-2025-64328
At the heart of these compromises lies CVE-2025-64328, a high-severity (CVSS score: 8.6) post-authentication command injection flaw. FreePBX itself issued an advisory in November 2025, detailing the severe implications:
“The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host. An attacker could leverage this to obtain remote access to the system as the asterisk user.”
This vulnerability essentially grants attackers the ability to execute arbitrary commands on the host system, potentially leading to full control and data exfiltration.
Who is Behind the Attacks? The INJ3CTOR3 Threat Actor
Further insights into the ongoing campaign come from Fortinet FortiGuard Labs. In a report published late last month, Fortinet identified the threat actor codenamed INJ3CTOR3 as being responsible for exploiting CVE-2025-64328. This group has been actively deploying a sophisticated web shell, dubbed EncystPHP, since early December 2025.
EncystPHP is particularly dangerous due to its operational capabilities:
“By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment,” Fortinet explained.
This means attackers can not only control the system but also potentially manipulate call activities within the PBX environment, posing significant risks to communication integrity and privacy.
Urgent Mitigations and Recommendations
The vulnerability affects FreePBX versions higher than and including 17.0.2.36 and was officially resolved in version 17.0.3. Given the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the immediate need for action.
FreePBX users are strongly urged to implement the following critical mitigations without delay:
- Update Immediately: Ensure your FreePBX deployments are updated to version 17.0.3 or the latest available version to patch the vulnerability.
- Restrict Access: Implement stringent security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP).
- Network Segmentation: Restrict access to the ACP from hostile or untrusted networks.
- Module Updates: Update the filestore module to its latest version.
Proactive measures are essential to protect your systems from this pervasive threat. Staying informed and acting swiftly are your best defenses against sophisticated cyberattacks like the one targeting FreePBX.
For more details, visit our website.
Source: Link
Leave a comment