Ethical Hacking News
A staggering 900 Sangoma FreePBX instances remain infected with web shells due to an ongoing attack exploiting a command injection vulnerability, highlighting the importance of proactive vulnerability management and timely patching. Sangoma has released an advisory for the flaw in November 2025, but users are urged to take immediate action to secure their systems.
The security landscape is marred by numerous high-profile vulnerabilities, including the recent Sangoma FreePBX attack. Over 900 Sangoma FreePBX instances remain infected with web shells due to a command injection vulnerability (CVE-2025-64328). This vulnerability allows attackers to execute arbitrary shell commands and gain remote access to the system. The exploitation of this vulnerability has led to the compromise of numerous Sangoma FreePBX instances worldwide. Sangoma has released an advisory highlighting the importance of patching and implementing security controls. Due to inadequate patching, many organizations remain at risk, prompting CISA to add the vulnerability to its KEV catalog.
The security landscape continues to be marred by an alarming number of high-profile vulnerabilities, and the latest attack on Sangoma FreePBX instances is a stark reminder of the importance of timely patching and proactive vulnerability management. According to recent data released by The Shadowserver Foundation, over 900 Sangoma FreePBX instances remain infected with web shells as part of ongoing attacks that exploited a command injection vulnerability starting in December 2025.
This vulnerability, denoted as CVE-2025-64328 and boasting a CVSS score of 8.6, represents a high-severity security flaw that could enable post-authentication command injection. The severity of this vulnerability cannot be overstated, as it places any user with access to the FreePBX Administration panel in a position to execute arbitrary shell commands on the underlying host.
In other words, an attacker could leverage this vulnerability to obtain remote access to the system as the asterisk user, thus rendering the security controls put in place by Sangoma effectively null and void. The threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting this vulnerability starting early December 2025 to deliver a web shell codenamed EncystPHP.
The web shell operates with elevated privileges, thereby enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment. This level of sophistication highlights the ingenuity of threat actors in their pursuit of exploiting vulnerabilities for malicious purposes.
It is worth noting that Fortinet FortiGuard Labs has also been monitoring this vulnerability and has reported on its findings, further emphasizing the severity of the situation. In a report published late last month, the company noted that the exploitation of CVE-2025-64328 has led to the compromise of numerous Sangoma FreePBX instances, with 401 instances located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France.
The impact of this vulnerability cannot be overstated. With an estimated number of compromised Sangoma FreePBX instances sitting out there on the dark net, users are left vulnerable to a host of cyber threats. The lack of timely patching by Sangoma has left many organizations exposed to these attacks.
In response to this vulnerability, Sangoma has released an advisory for the flaw in November 2025, highlighting the importance of adding security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP), restricting access from hostile networks to the ACP, and updating the filestore module to the latest version.
However, due to the lack of adequate patching and mitigation measures by Sangoma, it appears that many organizations are still at risk. The vulnerability has since come under active exploitation in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog earlier this month.
In light of these findings, it is essential that Sangoma FreePBX users take immediate action to patch their systems and implement robust security controls. Failure to do so could result in further compromise of the system and potential unauthorized access by malicious actors.
The incident highlights the importance of proactive vulnerability management and timely patching. It serves as a stark reminder that even seemingly minor vulnerabilities can have significant repercussions when exploited by threat actors.
Related Information:
https://www.ethicalhackingnews.com/articles/900-Sangoma-FreePBX-Instances-Compromised-in-Ongoing-Web-Shell-Attacks-ehn.shtml
https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html
https://www.securityweek.com/900-sangoma-freepbx-instances-infected-with-web-shells/
https://nvd.nist.gov/vuln/detail/CVE-2025-64328
https://www.cvedetails.com/cve/CVE-2025-64328/
Published: Fri Feb 27 12:50:27 2026 by llama3.2 3B Q4_K_M
