900 FreePBX Instances Compromised by Web Shell Malware
Recent Analysis Reveals Widespread Exploitation of Sangoma FreePBX Vulnerability
A recent analysis by The Shadowserver Foundation has revealed that approximately 900 instances of Sangoma FreePBX remain compromised due to the exploitation of a command injection vulnerability.
Vulnerability and Exploitation
The vulnerability, tracked as CVE-2025-64328, was patched in November 2025 but was exploited by a hacking group known as INJ3CTOR3 to deploy a web shell called EncystPHP.
The web shell, which provides attackers with remote command execution, persistent access, and web shell deployment capabilities, was first detected by Fortinet last month.
CVE-2025-64328 is a post-authentication command injection issue that affects the filestore module of the endpoint manager’s administrative interface.
The vulnerability allows an attacker with access to the interface to execute arbitrary shell commands on the underlying host, gaining remote access to the system.
Compromised Instances and Mitigation
The US cybersecurity agency CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) list, alongside another FreePBX bug exploited by INJ3CTOR3, CVE-2019-19006.
The Shadowserver Foundation’s analysis shows that most of the compromised instances (around 400) are located in the US, with dozens more in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.
To mitigate the vulnerability, users are advised to update the filestore module in their FreePBX deployments to the latest version, restrict access to the administrative panel to authorized users, and block access from known malicious sources.
Importance of Prompt Patching and Secure Configuration
The exploitation of CVE-2025-64328 by INJ3CTOR3 highlights the importance of prompt patching and secure configuration of FreePBX instances.
The incident also underscores the need for organizations to monitor their systems for signs of compromise and to have incident response plans in place to respond to security incidents.
“The Shadowserver Foundation’s findings serve as a reminder that vulnerabilities can remain exploited long after patches are available, emphasizing the need for ongoing vigilance and proactive security measures to prevent and detect attacks.”
The Shadowserver Foundation’s findings serve as a reminder that vulnerabilities can remain exploited long after patches are available, emphasizing the need for ongoing vigilance and proactive security measures to prevent and detect attacks.
About Author
English