it

900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks

Published: (February 27, 2026 at 12:59 PM EST)
2 min read
Source: The Hacker News

Source: The Hacker News

FreePBX

Overview

The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances remain infected with web shells. The attacks exploit a command‑injection vulnerability (CVE‑2025‑64328) that first appeared in December 2025.

Impact and Statistics

  • 401 compromised instances are located in the United States.
  • 51 in Brazil.
  • 43 in Canada.
  • 40 in Germany.
  • 36 in France.

The non‑profit entity attributes the compromises to the exploitation of CVE‑2025‑64328 (CVSS 8.6), a high‑severity flaw that enables post‑authentication command injection.

“The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host,” FreePBX noted in its advisory. “An attacker could leverage this to obtain remote access to the system as the asterisk user.”
FreePBX advisory (Nov 2025)

Vulnerability Details

  • Affected versions: FreePBX ≥ 17.0.2.36
  • Fixed in: FreePBX 17.0.3

Mitigation recommendations:

  1. Restrict access to the FreePBX Administrator Control Panel (ACP) to authorized users only.
  2. Block ACP access from hostile networks.
  3. Update the filestore module to the latest version.

The vulnerability is now listed in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Source: CISA KEV addition (Feb 2026)

Gartner Diagram

Threat Actor Activity

Fortinet FortiGuard Labs reported that the cyber‑fraud operation INJ3CTOR3 has been exploiting CVE‑2025‑64328 since early December 2025 to deliver a web shell named EncystPHP.

“By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment.”
— FortiGuard Labs report (Feb 2026)

Recommendations for FreePBX Users

  • Upgrade immediately to FreePBX 17.0.3 or later.
  • Apply the recommended access controls and module updates.
  • Monitor systems for the presence of the EncystPHP web shell.

Shadowserver Logo

Source: The Shadowserver Foundation

0 views
#FreePBX #Sangoma #web shell #command injection #Shadowserver #telecom security #vulnerability
View source
Share:
Back to Blog

Related posts

Read more »

Week in Security: Feb 24 – Mar 2, 2026

Week in Security: Feb 24 – Mar 2, 2026 This was a week where the most interesting stories weren’t the loudest ones. No mega‑breach, no nation‑state drama domin...