In a recent cybersecurity development, over 900 instances of Sangoma’s FreePBX have been compromised through web shell attacks, exploiting a command injection vulnerability identified as CVE-2025-64328. This flaw, with a CVSS score of 8.6, allows authenticated users to execute arbitrary shell commands on the host system, potentially granting attackers remote access as the ‘asterisk’ user.
The Shadowserver Foundation reports that these attacks began in December 2025, with 401 affected instances in the U.S., followed by significant numbers in Brazil, Canada, Germany, and France. The vulnerability impacts FreePBX versions 17.0.2.36 and later, and has been addressed in version 17.0.3. Users are strongly advised to update their systems promptly, restrict access to the FreePBX Administration Control Panel, and ensure only authorized users have access.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, highlighting its active exploitation. Further analysis by Fortinet FortiGuard Labs indicates that the threat actor known as INJ3CTOR3 has been leveraging this flaw to deploy a web shell named EncystPHP, enabling arbitrary command execution and unauthorized outbound calls through the PBX environment.
To mitigate these risks, FreePBX users should update to the latest version, implement stringent access controls, and monitor their systems for signs of compromise.
