Over 900 Sangoma FreePBX Systems Still Infected with Web Shells Months After Critical Vulnerability

In a stark reminder that the cybersecurity world is still grappling with the fallout from a high-profile vulnerability disclosed in late 2025, the Shadowserver Foundation has revealed that more than 900 Sangoma FreePBX instances remain compromised with persistent web shells. These infections stem from active exploitation of CVE-2025-64328, a critical command injection flaw that first emerged in December and continues to wreak havoc across global telecommunications infrastructure.

The Scope of the Crisis

According to Shadowserver’s latest telemetry, the U.S. leads the list of affected countries with 401 infected systems, followed by Brazil (51), Canada (43), Germany (40), and France (36). The nonprofit organization’s ongoing monitoring indicates these compromises are not relics of past attacks—they are ongoing, active infections that could be leveraged for further malicious activity.

“The persistence of these web shells is particularly concerning,” noted cybersecurity analysts tracking the campaign. “Each compromised system represents a potential foothold for lateral movement, data exfiltration, or further exploitation within an organization’s network.”

Understanding the Vulnerability

CVE-2025-64328 carries a CVSS score of 8.6, classifying it as a high-severity vulnerability that enables post-authentication command injection. The flaw affects FreePBX versions 17.0.2.36 and higher, with patches available in version 17.0.3.

FreePBX’s security advisory explained the gravity of the situation: “Any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host. An attacker could use this to obtain remote access to the system as the asterisk user.”

This level of access is particularly dangerous because the asterisk user typically has permissions to manage call routing, voicemail systems, and other critical telephony functions. In the wrong hands, this access could enable toll fraud, eavesdropping, or service disruption.

Active Exploitation in the Wild

The vulnerability’s inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog earlier this month underscores its active exploitation status. Security researchers have observed sophisticated threat actors systematically scanning for and compromising vulnerable systems.

Fortinet FortiGuard Labs has linked these infections to a cyber fraud operation dubbed INJ3CTOR3. According to their analysis, the threat actor began exploiting CVE-2025-64328 in early December 2025, deploying a custom web shell called EncystPHP.

“By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment,” Fortinet researchers noted in their late January report.

The sophistication of this campaign suggests organized criminal activity rather than opportunistic hacking. The use of custom malware and systematic exploitation patterns points to a well-resourced operation with specific financial motivations.

Geographic Distribution of Compromised Systems

Shadowserver’s data visualization reveals a concerning global footprint:

• United States: 401 infected systems
• Brazil: 51 infected systems
• Canada: 43 infected systems
• Germany: 40 infected systems
• France: 36 infected systems
• Other countries: 329 infected systems

This distribution highlights how critical infrastructure vulnerabilities can transcend national boundaries, creating a shared security challenge for the international community.

Mitigation Strategies

FreePBX has outlined several critical mitigation steps for organizations still running vulnerable systems:

1. Immediate Update: Upgrade to FreePBX version 17.0.3 or later
2. Access Control: Implement strict controls ensuring only authorized users can access the FreePBX Administrator Control Panel (ACP)
3. Network Segmentation: Restrict ACP access from hostile or untrusted networks
4. Module Updates: Update the filestore module to the latest version
5. Monitoring: Implement enhanced logging and monitoring for suspicious activity

Security experts emphasize that these measures should be implemented immediately, as the continued presence of web shells indicates that attackers have established persistent backdoors that could be activated at any time.

The Broader Implications

This ongoing compromise of FreePBX systems represents more than just a technical vulnerability—it’s a wake-up call about the state of critical infrastructure security. Voice over IP (VoIP) systems like FreePBX have become essential components of business communications, yet they often lack the security attention given to more traditional IT systems.

The exploitation of CVE-2025-64328 also demonstrates how quickly vulnerabilities can be weaponized once disclosed. The timeline from vulnerability announcement to active exploitation spanned mere weeks, leaving little room for organizations to implement patches before attacks began.

Furthermore, the persistence of these infections months after patches became available highlights the challenges of vulnerability management in complex enterprise environments. Many organizations struggle with patch deployment due to compatibility concerns, operational requirements, or simple resource constraints.

Looking Forward

As the cybersecurity community continues to monitor this situation, several key questions remain unanswered. How many of these compromised systems have already been used for malicious purposes? What other vulnerabilities might be lurking in critical telecommunications infrastructure? And perhaps most importantly, what systemic changes are needed to prevent similar widespread compromises in the future?

For now, the message is clear: organizations running FreePBX systems must prioritize immediate updates and security hardening. The alternative—leaving web shells active on critical infrastructure—represents an unacceptable risk in today’s threat landscape.

Tags & Viral Phrases:

• 900+ FreePBX systems still hacked
• Critical VoIP vulnerability exploited
• Web shells persist months after patch
• INJ3CTOR3 cybercrime operation
• Shadowserver Foundation warning
• CISA adds CVE-2025-64328 to KEV
• Fortinet FortiGuard Labs analysis
• EncystPHP web shell discovered
• Telecommunications infrastructure at risk
• Global PBX compromise crisis
• High-severity command injection flaw
• Post-authentication exploitation
• Active cyber fraud campaign
• Critical infrastructure vulnerability
• Months-old security flaw still active
• Systematic exploitation patterns
• Persistent backdoor access
• Toll fraud and eavesdropping risk
• International security challenge
• Urgent patch deployment needed

,