Hundreds of FreePBX instances infected by web shells exploiting command injection vulnerability

The Hacker News reports that hundreds of Sangoma FreePBX instances remain infected with web shells due to ongoing attacks exploiting a command injection vulnerability. The Shadowserver Foundation revealed that over 900 instances are compromised, with a significant portion located in the U.S.

The compromises are attributed to the exploitation of CVE-2025-64328, a vulnerability with a CVSS score of 8.6, which allows for post-authentication command injection. This flaw enables attackers to execute arbitrary shell commands on the host system, potentially gaining remote access as the asterisk user. The vulnerability affects FreePBX versions higher than 17.0.2.36 and was resolved in version 17.0.3. Threat actors, including those behind the INJ3CTOR3 operation, have been actively exploiting this flaw since December 2025 to deploy web shells like EncystPHP, operating with elevated privileges.

The active exploitation of this vulnerability has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities catalog. This highlights the critical need for organizations to update their FreePBX deployments to the latest version promptly and implement controls including restricting administrative panel access to authorized users and limiting access from untrusted networks.

Source: The Hacker News