The ShadowServer Foundation has revealed that more than 900 Sangoma FreePBX instances are still infected with the web shell as part of attacks that exploited a command injection vulnerability starting in December 2025.
Of these, 401 cases are in the US, followed by 51 in Brazil, 43 in Canada, 40 in Germany and 36 in France.
The non-profit entity said the compromise was likely accomplished through the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.
“The impact is that any user with access to the FreePBX administration panel can take advantage of this vulnerability to execute arbitrary shell commands on the underlying host,” FreePBX said in an advisory for the flaw in November 2025. “An attacker could leverage this to gain remote access to the system as the asterisk user.”
The vulnerability affects FreePBX versions up to and including 17.0.2.36. This was resolved in version 17.0.3. As a mitigation, it is advisable to add security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP), restrict access to the ACP from hostile networks, and update the filestore module to the latest version.
The vulnerability has since come under active exploitation in the wild, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) list earlier this month.
|
| Source: The Shadowserver Foundation |
In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 since early December 2025 to distribute a web shell codenamed EncystPHP.
“By leveraging the Elasticsearch and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment,” the cybersecurity company said.
FreePBX users are advised to update their FreePBX deployment to the latest version as soon as possible to counter active threats.
