FreePBX Instances Infected by Web Shells via Command Injection Vulnerability Exploits

Post Views: 5

Hundreds of FreePBX Instances Compromised by Web Shells via Command Injection Vulnerability

A significant number of Sangoma FreePBX instances have been infected with web shells, resulting from ongoing attacks that exploit a command injection vulnerability.

Impact and Affected Versions

According to the Shadowserver Foundation, over 900 instances have been compromised, with a substantial proportion located in the United States.

Vulnerability Details

The vulnerability in question, tracked as CVE-2025-64328, carries a CVSS score of 8.6 and enables post-authentication command injection. This allows attackers to execute arbitrary shell commands on the host system, potentially gaining remote access with asterisk user privileges. The flaw affects FreePBX versions higher than 17.0.2.36 and was addressed in version 17.0.3.

Exploitation and Consequences

Threat actors, including those behind the INJ3CTOR3 operation, have been actively exploiting this vulnerability since December 2025 to deploy web shells like EncystPHP, operating with elevated privileges.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this vulnerability has been added to its Known Exploited Vulnerabilities catalog.

Recommendations

This development underscores the critical need for organizations to update their FreePBX deployments to the latest version and implement controls, including restricting administrative panel access to authorized users and limiting access from untrusted networks. Failing to do so may leave systems vulnerable to exploitation, highlighting the importance of prompt patching and robust security measures.