Approximately 900 Sangoma FreePBX instances remain infected with web shells in attacks that exploited a command injection vulnerability starting December 2025.
Sangoma FreePBX is a web-based, open source graphical user interface that serves as a widely deployed management tool for Asterisk-based IP telephone systems.
The exploited bug, tracked as CVE-2025-64328 (CVSS score of 8.6) and patched in November 2025, impacts the filestore module of the endpoint manager’s administrative interface.
Described as a post-authentication command injection issue, the flaw allows an attacker logged in as any user with access to the interface to execute arbitrary shell commands on the underlying host and gain remote access to the system.
Last month, Fortinet revealed that a hacking group tracked as INJ3CTOR3 had been exploiting CVE-2025-64328 for over a month to deploy a web shell called EncystPHP.
The web shell provides the attackers with remote command execution, persistent access, and web shell deployment capabilities.
“These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments. We assess that this campaign represents recent attack activity and behavior patterns associated with INJ3CTOR3,” Fortinet said.
A week later, the US cybersecurity agency CISA added the CVE to its Known Exploited Vulnerabilities (KEV) list alongside CVE-2019-19006, another FreePBX bug exploited by the same hacking group.
Now, non-profit organization The Shadowserver Foundation says that approximately 900 FreePBX instances remain compromised and are running web shells. The endpoint manager deployments were likely compromised via CVE-2025-64328, it notes.
Most of the compromised instances (roughly 400) are in the US, data from The Shadowserver Foundation shows. Dozens of instances are in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands, and smaller numbers in many other countries.
Users are advised to update the filestore module in their FreePBX deployments to the latest version, to restrict access to the administrative panel to authorized users, and to block access from known malicious sources.
Related: Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience
Related: Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
Related: SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown
Related: Zyxel Patches Critical Vulnerability in Many Device Models
