Executive Summary
In early 2026, over 900 Sangoma FreePBX instances were compromised through the exploitation of a post-authentication command injection vulnerability, CVE-2025-64328. This flaw allowed attackers, notably the INJ3CTOR3 group, to deploy the EncystPHP web shell, enabling remote command execution and persistent access. The majority of affected systems were located in the United States, with significant numbers also in Brazil, Canada, Germany, and France. The exploitation led to unauthorized outbound calls and potential lateral movement within networks.
This incident underscores the critical importance of promptly applying security patches and restricting administrative access to trusted networks. The widespread nature of these attacks highlights the ongoing threat to VoIP infrastructures and the necessity for organizations to implement robust security measures to protect against such vulnerabilities.
Why This Matters Now
The exploitation of CVE-2025-64328 in FreePBX systems by the INJ3CTOR3 group demonstrates the persistent threat to VoIP infrastructures. Organizations must urgently update their systems and enforce strict access controls to prevent unauthorized access and potential financial losses due to unauthorized call activities.
Attack Path Analysis
Attackers exploited a command injection vulnerability in FreePBX systems to deploy the EncystPHP web shell, enabling remote command execution. They escalated privileges by creating a root-level user and modifying existing user accounts. The attackers moved laterally by accessing and manipulating other systems within the network. They established command and control through the deployed web shell, allowing persistent remote access. Data exfiltration was conducted by extracting sensitive information from compromised systems. The impact included unauthorized outbound calls and potential service disruptions.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a command injection vulnerability (CVE-2025-64328) in FreePBX systems to deploy the EncystPHP web shell, enabling remote command execution.
Related CVEs
CVE-2025-64328
CVSS 7.2An OS command injection vulnerability in FreePBX allows authenticated attackers to execute arbitrary commands on the server.
Affected Products:
Sangoma FreePBX – 17.0.2.36 up to (excluding) 17.0.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Web Shell
Valid Accounts
Unix Shell
Web Protocols
Local Account
Account Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
FreePBX systems widely deployed in telecom infrastructure face critical webshell deployment risks, enabling lateral movement and encrypted traffic exfiltration compromising communications networks.
Information Technology/IT
IT service providers managing FreePBX installations vulnerable to EncystPHP webshell attacks, requiring enhanced egress security and anomaly detection for multicloud visibility protection.
Health Care / Life Sciences
Healthcare organizations using FreePBX phone systems risk HIPAA compliance violations through webshell deployment, requiring zero trust segmentation and encrypted traffic monitoring capabilities.
Financial Services
Financial institutions deploying FreePBX face privilege escalation threats via backdoor account creation, necessitating enhanced threat detection and compliance with PCI security standards.
Sources
- Scans for EncystPHP Webshell, (Mon, Apr 13th)https://isc.sans.edu/diary/rss/32892Verified
- Unveiling the Weaponized Web Shell EncystPHPhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphpVerified
- CVE-2025-64328 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-64328Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the command injection vulnerability may have been constrained by enforcing strict identity-aware access controls.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict segmentation policies that restrict administrative access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely have been constrained by enforcing east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control communications may have been detected and constrained by enhanced visibility and control mechanisms.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely have been constrained by enforcing strict egress policies.
The overall impact of the attack could have been reduced by limiting the attacker's ability to exploit vulnerabilities and move laterally.
Impact at a Glance
Affected Business Functions
- Telephony Services
- VoIP Communications
- Call Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of call records and user credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access and limit lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of web shell deployment.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Ensure regular updates and patch management to address known vulnerabilities like CVE-2025-64328 promptly.
