The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025.
Of these, 401 instances are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France.
The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.
"The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host," FreePBX said in an advisory for the flaw in November 2025. "An attacker could leverage this to obtain remote access to the system as the asterisk user."
Security researcher M. Cory Billington, who is credited with discovering and reporting the vulnerability, said it could be abused to trigger command injection after authenticating to the FreePBX Administration GUI by sending an HTTP request with the "command" parameter set as "testconnection" and "driver" set as "SSH."
The vulnerability resides in FreePBX's framework module. The problem has to do with the fact that user-provided values – host, port, user, key, and path – specified in the request and used for checking the SSH connection are not sanitized, thereby allowing an attacker to execute arbitrary commands.
"$key is leveraged to create a directory name via the dirname() method, which is saved in $keypath," Billington explained. "This value is used without being checked in the exec("mkdir -p $keypath"); function so long as the $keypath value is not an existing directory. We can inject values into this so long as there is a / and some text after."
The vulnerability affects FreePBX versions higher than and including 17.0.2.36. It was resolved in version 17.0.3. As mitigations, it's advised to add security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP), restrict access from hostile networks to the ACP, and update the filestore module to the latest version.
The vulnerability has since come under active exploitation in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog earlier this month.
 |
| Source: The Shadowserver Foundation |
In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP.
"By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment," the cybersecurity company noted.
FreePBX users are recommended to update their FreePBX deployments to the latest version as soon as possible to counter active threats.
(The story was updated after publication on March 4, 2026, to include additional details of the flaw shared by security researcher M. Cory Billington.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.