900 Sangoma FreePBX Instances Infected With Web Shells

Approximately 900 Sangoma FreePBX instances remain infected with web shells in attacks that exploited a command injection vulnerability starting December 2025.

Sangoma FreePBX is a web-based, open source graphical user interface that serves as a widely deployed management tool for Asterisk-based IP telephone systems.

The exploited bug, tracked as CVE-2025-64328 (CVSS score of 8.6) and patched in November 2025, impacts the filestore module of the endpoint manager’s administrative interface.

Described as a post-authentication command injection issue, the flaw allows an attacker logged in as any user with access to the interface to execute arbitrary shell commands on the underlying host and gain remote access to the system.

Last month, Fortinet revealed that a hacking group tracked as INJ3CTOR3 had been exploiting CVE-2025-64328 for over a month to deploy a web shell called EncystPHP.

The web shell provides the attackers with remote command execution, persistent access, and web shell ...