Attackers have been exploiting CVE-2025-64328, a post-authentication command injection flaw in the Sangoma FreePBX Endpoint Manager (filestore component) to compromise internet-exposed FreePBX systems and deploy persistent web shells. The vulnerability affects FreePBX versions 17.0.2.36 and above prior to 17.0.3, and can be abused by an authenticated user via the testconnection -> check_ssh_connect() function to execute commands and gain remote access as the asterisk user; the issue is fixed in 17.0.3. Reporting indicates the activity began in December 2025 and has left hundreds of systems persistently backdoored with web shells.
The Shadowserver Foundation reported roughly 900 FreePBX instances still compromised, with the largest concentration in the United States (about 400) and additional impacted systems across Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands. Fortinet/FortiGuard Labs identified a PHP web shell dubbed EncystPHP associated with the campaign, which supports remote command execution, persistence, and additional web shell deployment; follow-on risk includes VoIP-focused abuse such as outbound call fraud and potential network pivoting from the PBX host. One source also states the vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, reinforcing the need for rapid patching and incident response on exposed FreePBX deployments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
By late February 2026, the Shadowserver Foundation reported roughly 900 internet-facing Sangoma FreePBX instances remained compromised, with the largest concentration in the United States and additional victims across Europe and the Americas. The findings showed the campaign had achieved broad and persistent access months after exploitation began.
CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities catalog in early February 2026 after evidence of active exploitation in the wild. The listing signaled federal recognition of the flaw as an actively exploited risk requiring remediation.
Following exploitation, attackers deployed PHP web shells including EncystPHP to establish persistence on compromised FreePBX servers. Fortinet linked the activity to a threat actor it tracks as INJ3CTOR3 and described follow-on actions such as credential harvesting, account and cron changes, SSH key injection, and removal of competing shells.
Threat actors started exploiting the post-authentication command injection flaw CVE-2025-64328 in Sangoma FreePBX Endpoint Manager in early December 2025. The exploitation was used to gain command execution on exposed FreePBX systems.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcesecurityaffairs.com
Open sourcerescana.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.