CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances

About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw.

Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025.

Sangoma FreePBX is an open-source, web-based platform for managing Asterisk-powered VoIP phone systems. Maintained by Sangoma Technologies, it allows businesses to configure extensions, call routing, voicemail, IVR menus, and SIP trunks through an easy-to-use interface.

The campaign exploited a post-authentication command injection vulnerability, tracked as CVE-2025-64328 (CVSS score of 8.6), in the endpoint manager interface, allowing attackers to execute malicious commands and maintain persistent access to compromised systems.

“FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function.” reads the advisory. “An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.”

The Shadowserver Foundation reports that around 900 FreePBX instances are still compromised and running web shells, likely due to exploitation of CVE-2025-64328 in the endpoint manager. About 400 affected systems are located in the United States, with dozens more in countries including Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands, and smaller numbers spread across other regions.

In January, FortiGuard Labs identified a new web shell dubbed “EncystPHP,” capable of remote command execution, persistence, and further web shell deployment. The attacks began in early December and exploited the flaw CVE-2025-64328. Researchers link the activity to the threat group INJ3CTOR3, known for targeting past vulnerabilities in FreePBX and Elastix systems. The campaign follows a familiar pattern: exploiting a flaw and installing a PHP web shell to maintain access.

“The web shell was delivered via CVE-2025-64328, a post-authentication command-injection vulnerability in the administrative interface of the FreePBX Endpoint Manager.” reads the analysis published by Fortinet. “The attackers downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202, which resolves to the domain crm[.]razatelefonia[.]pro. “

Attackers delivered the EncystPHP dropper from 45.234.176.202, exploiting CVE-2025-64328 in FreePBX. Once installed, the malware locked key files, harvested database configs, deleted cron jobs and user accounts, and removed rival web shells. It created a root-level user, reset passwords, injected an SSH key, and ensured port 22 stayed open for persistent access.

The dropper also fetched additional payloads, erased logs, removed the Endpoint Manager module, restored permissions to avoid detection, and deployed Base64-encoded web shells to maintain long-term control.

In early February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw in Sangoma FreePBX to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2025-64328 )