Shadowserver Foundation reports over 900 FreePBX systems remain compromised through web shells deployed via CVE-2025-64328 command injection vulnerability, with US systems most affected.
Over 900 Sangoma FreePBX instances remain infected with web shells following exploitation of a critical command injection vulnerability that began in December 2025, according to new findings from the Shadowserver Foundation. The compromised systems span multiple countries, with 401 instances located in the United States, 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France.
The attacks leverage CVE-2025-64328, a high-severity vulnerability with a CVSS score of 8.6 that enables post-authentication command injection. FreePBX disclosed the flaw in November 2025, warning that "any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host."
Vulnerability Details and Impact
The vulnerability affects FreePBX versions higher than and including 17.0.2.36, with the issue resolved in version 17.0.3. The impact is particularly severe because an attacker can obtain remote access to the system as the asterisk user, potentially gaining control over the entire PBX infrastructure.
FreePBX recommended several mitigations for organizations unable to immediately update:
- Add security controls to ensure only authorized users have access to the FreePBX Administrator Control Panel (ACP)
- Restrict access from hostile networks to the ACP
- Update the filestore module to the latest version
Active Exploitation in the Wild
The vulnerability has been actively exploited in real-world attacks, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) catalog earlier this month. This designation signals that federal agencies must patch the vulnerability by specific deadlines, though the broader implications affect organizations worldwide.
INJ3CTOR3 Threat Actor Campaign
Fortinet FortiGuard Labs published a detailed report last month revealing that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been actively exploiting CVE-2025-64328 since early December 2025. The attackers deploy a web shell called EncystPHP to maintain persistent access to compromised systems.
"By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment," Fortinet noted in its analysis.
The campaign demonstrates sophisticated targeting of telecommunications infrastructure, with the web shell providing attackers with extensive capabilities to manipulate PBX systems for potentially fraudulent purposes.
Geographic Distribution of Compromised Systems
Shadowserver's data reveals a concerning concentration of compromised systems in North America and Europe:
- United States: 401 infected instances
- Brazil: 51 infected instances
- Canada: 43 infected instances
- Germany: 40 infected instances
- France: 36 infected instances
This distribution suggests that organizations in developed economies with robust telecommunications infrastructure are primary targets, though the vulnerability affects FreePBX deployments globally.
Recommendations for FreePBX Users
Organizations running FreePBX systems should take immediate action to protect their infrastructure:
- Update Immediately: Upgrade to FreePBX version 17.0.3 or later if not already done
- Network Segmentation: Isolate FreePBX systems from untrusted networks
- Access Controls: Implement strict authentication and authorization for the Administrator Control Panel
- Monitoring: Deploy intrusion detection systems to identify web shell activity
- Incident Response: Organizations with suspected compromises should conduct thorough security assessments
The persistence of web shells on over 900 systems months after the vulnerability was disclosed highlights the challenges organizations face in maintaining timely patch management for critical infrastructure.
The ongoing exploitation of FreePBX systems underscores the importance of treating telecommunications infrastructure as critical assets requiring robust security controls and rapid response to emerging threats.
Comments
Please log in or register to join the discussion