CT
CyberTimes
← Back to Threat Watch
freepbxvoipcommand injectionCVE-2025-64328February 28, 2026 · CyberTimes Security Team

900+ FreePBX Phone Systems Hacked via Critical Command Injection Flaw

On February 27, 2026, the Shadowserver Foundation confirmed that over 900 Sangoma FreePBX instances remain actively compromised through web shells planted by attackers exploiting CVE-2025-64328. The a

Severity🟠 HIGH
CVSS Score8.6/10
ExploitedNo
Fix StatusPatch available

On February 27, 2026, the Shadowserver Foundation confirmed that over 900 Sangoma FreePBX instances remain actively compromised through web shells planted by attackers exploiting CVE-2025-64328. The attacks began in December 2025 and are still ongoing, with the majority of victims located in the United States. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, making patching non-negotiable for any organization running FreePBX.

Affected products

  • ·If you run FreePBX version 17.0.2.36 or earlier

How to Fix

Step-by-step remediation

  1. 1Log into your FreePBX admin panel. Navigate to Admin > Module Admin.
  2. 2Find the Filestore module and update it to the latest available version.
  3. 3Go to the FreePBX update section and update the core system to version 17.0.3 or later.
  4. 4After updating, go to Admin > User Management and review all admin accounts. Remove any you don't recognize.
  5. 5Restrict access to your admin panel by IP address. Go to your firewall or hosting settings and only whitelist your office or home IP. Block all other access to the admin panel port.
  6. 6Check your server logs for any signs of the EncystPHP web shell. If you find it, treat your server as fully compromised and consult a security professional.

What happened

FreePBX is open-source software used by thousands of businesses worldwide to manage their phone systems. CVE-2025-64328 is a command injection flaw in the FreePBX Administration panel. Think of it like this — the admin panel is supposed to let authorized staff manage phone settings, but this vulnerability means anyone with panel access can also secretly run operating system commands on the underlying server. Attackers have been using this to install a web shell called EncystPHP, which acts as a permanent backdoor — giving them ongoing remote access even after passwords are changed.

Real-World Impact

The Shadowserver Foundation tracked 900+ compromised instances globally — 401 in the US alone, followed by Brazil, Canada, Germany, and France. The threat actor behind a cyber fraud operation called INJ3CTOR3 has been actively exploiting this since early December 2025. Once inside, attackers are running arbitrary commands, initiating unauthorized outbound calls through the PBX environment, and maintaining persistent access via the EncystPHP web shell. CISA's addition to the KEV catalog means US federal agencies are mandated to patch, and every other organization should treat it with the same urgency.

Technical Details

CVE-2025-64328 is a post-authentication command injection flaw with a CVSS score of 8.6. It affects FreePBX versions 17.0.2.36 and earlier. The vulnerability exists in the FreePBX Administration panel and allows any authenticated user to execute arbitrary shell commands on the host system as the asterisk user. It was patched in version 17.0.3. The INJ3CTOR3 threat group has been leveraging this to deploy the EncystPHP web shell, which operates with elevated privileges within the Elastix and FreePBX administrative contexts.

"Any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host."

FreePBX Security Advisory, November 2025

🛡️ Prevention Tips

Never expose your FreePBX admin panel to the public internet. Always place it behind a VPN or firewall with strict IP allowlisting. Enable automatic updates for FreePBX modules. Subscribe to FreePBX security advisories so you hear about vulnerabilities the moment they're disclosed. Regularly audit your admin user list and remove any accounts that aren't actively needed.

FAQs

I use FreePBX but don't have the admin panel exposed publicly — am I safe?

You are significantly less at risk, but still vulnerable to insider threats or attackers who gain network access through other means. Updating to 17.0.3 and auditing your admin accounts is still strongly recommended.

How do I know if my system has already been compromised?

Look for unfamiliar files in your FreePBX web directories, unexpected outbound calls in your call logs, or unknown admin accounts. Running a file integrity check or consulting a VoIP security specialist is advisable if you suspect compromise.

Read Next

php webshell · cookie controlled

Microsoft Exposes Cookie-Controlled PHP Web Shells That Resurrect Themselves via Cron — A New Stealthy Linux Persistence Technique

openai · chatgpt

OpenAI Patches Two Critical Vulnerabilities: ChatGPT Data Exfiltration via Side Channel and Codex Command Injection Exposing GitHub Tokens

axios · npm

North Korea's UNC1069 Backdoored Axios npm Package — 183 Million Weekly Downloads Exposed to WAVESHAPER.V2 Backdoor

apache activemq · remote code execution

CVE-2026-34197: 13-Year-Old Apache ActiveMQ RCE Flaw Chains with Auth Bypass — Plus 20 More Threats This Week

masjesu · xorbot

Masjesu Botnet: The Stealthy DDoS-for-Hire Service Quietly Hijacking IoT Devices Since 2023 — Now Hitting 300 Gbps

#freepbx#voip#command-injection#web-shell#cisa#network-security

Last updated: February 28, 2026

← Back to all threatsAbout CyberTimes