900 FreePBX Instances Infected: Critical Vulnerability Alert

900 FreePBX Instances Infected: Critical Vulnerability Alert

900 FreePBX Instances Infected: Critical Vulnerability Alert

Approximately 900 Sangoma FreePBX instances remain compromised with web shells after attackers exploited a critical post-authentication command injection vulnerability (CVE-2025-64328). This flaw, patched in November 2025, has enabled hackers to deploy malicious web shells and maintain persistent access to vulnerable systems.

Understanding the Sangoma FreePBX Vulnerability

The exploited vulnerability (CVSS score 8.6) resides in the filestore module of the endpoint manager’s administrative interface. Attackers with valid login credentials can execute arbitrary shell commands, granting full control over the underlying host system. The flaw was actively exploited by the INJ3CTOR3 hacking group starting in December 2025.

How the Exploit Works

  • Attackers log in with compromised credentials
  • Exploit the filestore module’s command injection flaw
  • Deploy a PHP web shell named EncystPHP
  • Gain remote command execution and persistent access

Global Impact and Attack Patterns

The Shadowserver Foundation reports 900 active infections across 15+ countries. Key statistics include:

  • 400 compromised instances in the United States
  • Dozens in Brazil, Canada, Germany, and the UK
  • Smaller clusters in France, Italy, and the Netherlands

CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) list in January 2026, emphasizing the urgency of patching.

Immediate Mitigation Steps

Organizations using FreePBX must act now to secure their systems:

  1. Update the filestore module to the latest patched version
  2. Restrict administrative access to trusted IP addresses
  3. Block traffic from known malicious IP ranges
  4. Scan for and remove any web shells (e.g., EncystPHP)
  5. Implement multi-factor authentication for admin accounts

Why This Matters for Your Business

Unpatched FreePBX systems expose organizations to:

  • Data exfiltration via command-line access
  • Malware deployment through web shells
  • Long-term persistence in enterprise networks
  • Compliance violations (e.g., GDPR, HIPAA)

Conclusion: Secure Your FreePBX Deployments

The Sangoma FreePBX vulnerability highlights the critical need for proactive patch management. With 900 active infections still detected, administrators must prioritize system updates and network monitoring. Regular vulnerability scans and strict access controls can prevent similar attacks in the future.

Take action now: Verify your FreePBX version, apply patches immediately, and audit your systems for signs of compromise.

FAQs

1. What is the Sangoma FreePBX vulnerability (CVE-2025-64328)?

A post-authentication command injection flaw in the endpoint manager’s filestore module that allows attackers to execute arbitrary shell commands.

2. How many systems are affected?

Approximately 900 instances globally remain compromised as of February 2026.

3. Who is exploiting this vulnerability?

The INJ3CTOR3 hacking group has been actively using this flaw to deploy web shells since December 2025.

4. What should I do if I use FreePBX?

Update the filestore module, restrict access, and scan for web shells. Follow the mitigation steps outlined in this article.

5. Is there a tool to detect web shells?

Use automated vulnerability scanners like Nessus or manual code reviews to identify suspicious PHP files in your FreePBX directories.