Over 900 instances of Sangoma FreePBX are still infected with web shells following a campaign that exploited a critical command injection vulnerability discovered in late 2025. The Shadowserver Foundation reported that these compromised systems are primarily located in the United States, with significant numbers also identified in Brazil, Canada, Germany, and France. The ongoing exploitation highlights a persistent threat to the security of voice communication systems.
These wide-ranging compromises are attributed to the exploitation of CVE-2025-64328, a high-severity vulnerability identified by FreePBX itself in November 2025. This flaw, with a CVSS score of 8.6, allows authenticated attackers to execute arbitrary shell commands on the underlying server. Such an exploit could grant attackers remote access to the system, posing a serious risk to data integrity and operational continuity.
FreePBX Vulnerability Leaves Systems Exposed
The command injection vulnerability, CVE-2025-64328, specifically impacts FreePBX versions 17.0.2.36 and earlier. FreePBX addressed the flaw by releasing version 17.0.3. As initial mitigation strategies, FreePBX advised users to enforce strict access controls to the Administration Control Panel (ACP), restrict network access to the ACP from untrusted sources, and ensure the filestore module is updated to its latest iteration. However, the continued presence of compromised instances indicates that many users have yet to apply these crucial updates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) acknowledged the severity of the threat by adding CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) catalog earlier this month. This addition signals that the vulnerability is actively being weaponized by malicious actors in real-world attacks, increasing the urgency for all affected users to implement a patch.
Active Exploitation by INJ3CTOR3 Campaign
Research published by Fortinet’s FortiGuard Labs last month detailed how a cyber fraud operation, codenamed INJ3CTOR3, has been actively exploiting CVE-2025-64328 since December 2025. This threat actor is leveraging the vulnerability to deploy a web shell known as EncystPHP onto compromised FreePBX servers. The campaign demonstrates a targeted approach to exploiting VoIP infrastructure for nefarious purposes.
According to Fortinet, the EncystPHP web shell operates with elevated privileges by utilizing the administrative contexts of Elastix and FreePBX. This allows it to execute commands directly on the infected host. Furthermore, the web shell is capable of initiating outbound call activities through the vulnerable PBX environment. This capability could be used for various malicious activities, including toll fraud, spam calling, or facilitating further network intrusion.
The ongoing exploitation underscores the importance of prompt patching and robust network security. The presence of over 900 vulnerable FreePBX instances suggests a significant cybersecurity risk that could lead to substantial financial losses and reputational damage for affected organizations. The continued monitoring by organizations like the Shadowserver Foundation and CISA is critical in assessing the scope of these attacks and providing timely alerts to the cybersecurity community.
Moving forward, the primary focus for FreePBX users will be the widespread adoption of the patched version 17.0.3. The Shadowserver Foundation will likely continue to monitor the number of compromised instances, providing data that can inform further security advisories and response efforts. The persistence of these infections suggests that a segment of users may be unaware of the vulnerability or face challenges in implementing the necessary updates, indicating a potential for continued exploitation until these systems are secured.