Ethical Hacking News
A sophisticated attack campaign exploiting CVE-2025-64328 has compromised over 900 Sangoma FreePBX systems worldwide, leaving hundreds of instances still infected with web shells. The attackers delivered a PHP web shell dubbed "EncystPHP" that granted them remote command execution and persistence capabilities. Affected systems must be updated to version 17.0.3 or later to patch the vulnerability.
Over 900 Sangoma FreePBX instances worldwide have been compromised due to a highly critical command injection vulnerability (CVE-2025-64328).The attackers delivered a PHP web shell dubbed "EncystPHP" that granted remote command execution, persistence, and further web shell deployment capabilities.The vulnerability was not properly patched until version 17.0.3 of the Sangoma FreePBX system.The attackers downloaded the EncystPHP dropper from an IP address associated with a domain called "crm.razatelefonia.pro."Approximately 400 affected systems are located in the United States, while dozens more have been identified in countries such as Brazil, Canada, and others.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for affected systems to be updated to version 17.0.3 or later.
CVE-2025-64328, a highly critical command injection vulnerability in the endpoint manager interface of Sangoma FreePBX systems, has been exploited by attackers, compromising over 900 instances worldwide. The attack campaign, which began in early December 2025, utilized the vulnerability to deliver a PHP web shell dubbed "EncystPHP" that granted the attackers remote command execution, persistence, and further web shell deployment capabilities.
The Sangoma FreePBX system, an open-source platform for managing Asterisk-powered VoIP phone systems, is widely used by businesses to configure extensions, call routing, voicemail, IVR menus, and SIP trunks through a user-friendly interface. However, the vulnerability in question, tracked as CVE-2025-64328 (CVSS score of 8.6), was not properly patched until version 17.0.3.
According to Fortinet's analysis published on February 24, 2026, the attackers downloaded the EncystPHP dropper from an IP address associated with a domain called "crm.razatelefonia.pro." The malicious payload delivered by the dropper allowed the attackers to lock key files, harvest database configurations, delete cron jobs and user accounts, reset passwords, inject SSH keys, and ensure persistent access to compromised systems. Furthermore, the dropper also fetched additional payloads, erased logs, removed the Endpoint Manager module, restored permissions to avoid detection, and deployed Base64-encoded web shells to maintain long-term control.
The Shadowserver Foundation reports that approximately 900 Sangoma FreePBX instances are still infected with web shells due to exploitation of CVE-2025-64328 in the endpoint manager. Notably, around 400 affected systems are located in the United States, while dozens more have been identified in countries such as Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.
The attack campaign follows a familiar pattern: exploiting a flaw and installing a PHP web shell to maintain access. The attackers' tactics demonstrate the potential for sophisticated attacks against seemingly innocuous systems, highlighting the importance of prompt patching and vigilance in the face of emerging threats.
In early February 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw in Sangoma FreePBX to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for affected systems to be updated to version 17.0.3 or later.
The incident serves as a stark reminder of the importance of keeping software up-to-date and being vigilant against potential security threats. As the threat landscape continues to evolve, it is crucial for organizations to prioritize proactive measures to protect themselves against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/CVE-2025-64328-Exploitation-Campaign-A-Global-Threat-to-Sangoma-FreePBX-Systems-ehn.shtml
https://securityaffairs.com/188679/uncategorized/cve-2025-64328-exploitation-impacts-900-sangoma-freepbx-instances.html
https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html
Published: Sun Mar 1 05:03:46 2026 by llama3.2 3B Q4_K_M
