INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

CVE-2025-64328 Exploitation Impact Sangoma FreePBX Instances

| 2026-03-01 10:01 HIGH MEDIUM
JSON
Executive Summary AI-generated
The Sangoma FreePBX instance was compromised due to exploitation of the CVE-2025-64328 vulnerability in the endpoint manager interface. The attack began in early December and targeted around 900 systems, with many still infected as of March 1st. Researchers linked the incident to the threat group INJ3CTOR3, known for targeting past vulnerabilities in FreePBX and Elastix systems.
Technical Mitigations AI-generated
* Implement a secure patching strategy for FreePBX, focusing on the endpoint manager interface and filestore module to prevent exploitation of CVE-2025-64328. * Conduct regular security audits and vulnerability assessments for Sangoma FreePBX instances to identify potential weaknesses and address them before they can be exploited by attackers. * Educate users about the importance of keeping their system up-to-date with the latest software patches, including those related to FreePBX, to prevent exploitation of known vulnerabilities like CVE-2025-64328. * Use secure coding practices when developing applications that interact with Sangoma FreePBX instances, such as using input validation and sanitization techniques to prevent command injection attacks. * Implement a web application firewall (WAF) or intrusion detection system (IDS) on Sangoma FreePBX instances to detect and block potential security threats in real-time.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-64328CVE-2025-64328
Target & Sectors
Global Scope
Incident Timeline
November 2025
Threat actors exploited CVE-2025-64328 in Sangoma FreePBX instances, allowing them to execute arbitrary shell commands on the underlying host.
December 2025
Attackers exploited CVE-2025-64328 in the Administrative interface of Sangoma FreePBX, infecting over 900 instances with web shells.
organisation The Shadowserver Foundation
 Ravie Lakshmanan  Feb 27, 2026 Network Security / Vulnerability The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025.
The Shadowserver Foundation reports that around 900 FreePBX instances are still compromised and running web shells, likely due to exploitation of CVE-2025-64328 in the endpoint manager.
organisation Network Security / Vulnerability
 Ravie Lakshmanan  Feb 27, 2026 Network Security / Vulnerability The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025.
general_metric 27  Feb
 Ravie Lakshmanan  Feb 27, 2026 Network Security / Vulnerability The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025.
general_metric 2026  Feb
 Ravie Lakshmanan  Feb 27, 2026 Network Security / Vulnerability The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, CVE-2025-64328 )
infrastructure 17.0.2
In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function.” reads the advisory .
infrastructure 17.0.3
In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function.” reads the advisory .
This issue is fixed in version 17.0.3.”
organisation Administrative
In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function.” reads the advisory .
organisation Endpoint
“FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems.
organisation EncystPHP
In January, FortiGuard Labs identified a new web shell dubbed “EncystPHP,” capable of remote command execution, persistence, and further web shell deployment.
organisation Elastix
Researchers link the activity to the threat group INJ3CTOR3 , known for targeting past vulnerabilities in FreePBX and Elastix systems.
organisation PHP
The campaign follows a familiar pattern: exploiting a flaw and installing a PHP web shell to maintain access.
organisation Fortinet
reads the analysis published by Fortinet.
organisation IP
“The attackers downloaded the  EncystPHP  dropper from the IP address 45[.]234[.]176[.]202, which resolves to the domain crm[.]razatelefonia[.]pro.
organisation SSH
It created a root-level user, reset passwords, injected an SSH key, and ensured port 22 stayed open for persistent access.
early December 2025
Threat actors used CVE-2025-64328 to exploit a vulnerability in Sangoma FreePBX instances starting early December 2025.
vulnerability CVE-2025-64328
Source: The Shadowserver Foundation In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP.
organisation EncystPHP
Source: The Shadowserver Foundation In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP.
2026-01-28
Threat actors used CVE-2025-64328 to exploit a vulnerability in Sangoma FreePBX instances starting early December 2025.
vulnerability CVE-2025-64328
Source: The Shadowserver Foundation In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP.
organisation EncystPHP
Source: The Shadowserver Foundation In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP.
Feb 27, 2026
Threat actors exploited CVE-2025-64328 on approximately 900 Sangoma FreePBX instances.
2026-03-01
Threat actors exploited CVE-2025-64328 to compromise 900+ Sangoma FreePBX instances.
organisation CVE-2025-64328
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances.
The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.
organisation CVE-2025
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw.
victims 8.6 non - profit entity
The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.
infrastructure 17.0.2
" The vulnerability affects FreePBX versions higher than and including 17.0.2.36.
infrastructure 17.0.3
It was resolved in version 17.0.3.
organisation ACP
As mitigations, it's advised to add security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP), restrict access from hostile networks to the ACP, and update the filestore module to the latest version.
organisation PBX
"By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment," the cybersecurity company noted.
Tactical Metrics
Metrics
infrastructure
​17.0.2
Software Version
In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function.” reads the advisory .
" The vulnerability affects FreePBX versions higher than and including 17.0.2.36.
Metrics
infrastructure
​17.0.3
Software Version
In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function.” reads the advisory .
This issue is fixed in version 17.0.3.”
It was resolved in version 17.0.3.
Metrics
victims
9
Non - Profit Entity
The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.
Intelligence Sources
The Hacker News 2026-02-27
Security Affairs 2026-03-01