Sangoma FreePBX 2025 INJ3CTOR3 Web Shell Attacks
Executive Summary
In December 2025, over 900 Sangoma FreePBX instances were compromised through the exploitation of CVE-2025-64328, a high-severity command injection vulnerability. This flaw allowed authenticated users to execute arbitrary shell commands, leading to the deployment of the EncystPHP web shell by the threat actor group INJ3CTOR3. The attacks resulted in unauthorized remote access and control over affected VoIP infrastructures, with significant concentrations of compromised systems in the U.S., Brazil, Canada, Germany, and France. (thehackernews.com)
The incident underscores the critical importance of timely patch management and restricting administrative access to prevent exploitation of known vulnerabilities. Organizations are urged to update their FreePBX deployments to the latest version and implement stringent access controls to mitigate similar threats. (securityweek.com)
Why This Matters Now
The ongoing exploitation of CVE-2025-64328 highlights the persistent threat posed by unpatched vulnerabilities in widely used communication systems. With over 900 instances still compromised, there is an urgent need for organizations to assess their systems, apply necessary patches, and enforce strict access controls to prevent further breaches. (thehackernews.com)
Attack Path Analysis
The attack began with the exploitation of CVE-2025-64328, allowing authenticated users to execute arbitrary commands via the FreePBX Administration panel. This access enabled the deployment of the EncystPHP web shell, granting elevated privileges and persistent remote command execution. The attackers then leveraged these privileges to move laterally within the network, potentially compromising additional systems. Establishing command and control, they utilized the compromised FreePBX instances to initiate outbound call activities and maintain persistent access. Data exfiltration was likely conducted through these channels, extracting sensitive information from the network. The impact included unauthorized access, potential data breaches, and disruption of telephony services.
Kill Chain Progression
Initial Compromise
Description
Exploitation of CVE-2025-64328 allowed authenticated users to execute arbitrary commands via the FreePBX Administration panel.
Related CVEs
CVE-2025-64328
CVSS 7.2A post-authentication command injection vulnerability in FreePBX's filestore module allows authenticated users to execute arbitrary shell commands on the host system.
Affected Products:
Sangoma FreePBX – 17.0.2.36 and above before 17.0.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Server Software Component: Web Shell
Valid Accounts
Exploitation for Client Execution
Boot or Logon Autostart Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
FreePBX web shell attacks directly compromise VoIP infrastructure, enabling command injection and unauthorized call activity with elevated privileges across telecom networks.
Information Technology/IT
IT service providers using FreePBX face critical exposure to CVE-2025-64328 exploitation, allowing arbitrary command execution and persistent web shell deployment.
Health Care / Life Sciences
Healthcare organizations with FreePBX systems risk HIPAA compliance violations through unencrypted traffic exposure and unauthorized access to communication infrastructure.
Financial Services
Financial institutions face regulatory compliance risks from compromised FreePBX instances, potentially exposing sensitive communications and violating data protection requirements.
Sources
- 900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attackshttps://thehackernews.com/2026/02/900-sangoma-freepbx-instances.htmlVerified
- CVE-2025-64328 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-64328Verified
- FreePBX Security Advisory GHSA-vm9p-46mv-5xvwhttps://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvwVerified
- CISA Known Exploited Vulnerabilities Catalog Entry for CVE-2025-64328https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the vulnerability may have been constrained, reducing the likelihood of unauthorized command execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may have been constrained, reducing the risk of further system compromises.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access and control may have been limited, reducing the duration and impact of the compromise.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data may have been constrained, reducing the risk of sensitive information loss.
The overall impact of the attack may have been reduced, limiting unauthorized access and service disruptions.
Impact at a Glance
Affected Business Functions
- Telephony Services
- VoIP Communications
- Call Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of call logs and voice recordings.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, preventing unauthorized lateral movement.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Regularly update and patch systems to mitigate known vulnerabilities, such as CVE-2025-64328, reducing the risk of exploitation.
