Full Report
The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025. Of these, 401 instances are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France. The non-profit entity said the compromises are likely
Analysis Summary
# Incident Report: Widespread Web Shell Compromise of Sangoma FreePBX Instances via Command Injection
## Executive Summary
Starting in December 2025, numerous Sangoma FreePBX instances (over 900 identified) were compromised by threat actors exploiting a post-authentication command injection vulnerability (CVE-2025-64328). The primary impact was the installation of web shells, allowing for arbitrary command execution on the underlying host systems. The Shadowserver Foundation revealed the extent of the ongoing compromise, prompting CISA to add the vulnerability to its KEV catalog.
## Incident Details
- **Discovery Date:** Late February 2026 (Reported by Shadowserver Foundation)
- **Incident Start Date:** Beginning of December 2025
- **Affected Organization:** Unknown number of organizations running vulnerable Sangoma FreePBX versions.
- **Sector:** Telecommunications Infrastructure, VoIP Services (Implied)
- **Geography:** Global, high incidence in the U.S. (401 instances), Brazil (51), Canada (43), Germany (40), and France (36).
## Timeline of Events
### Initial Access
- **Date/Time:** Starting early December 2025
- **Vector:** Exploitation of **CVE-2025-64328** (Post-authentication Command Injection, CVSS 8.6). An attacker needed administrative panel access.
- **Details:** Threat actors leveraged the flaw to execute arbitrary shell commands on the underlying host.
### Lateral Movement
- **Details:** Not explicitly detailed, but the threat actor, identified as INJ3CTOR3, used the resulting web shell (EncystPHP) to operate with elevated privileges within the Elastix/FreePBX administrative context, enabling command execution.
### Data Exfiltration/Impact
- **Details:** The primary recorded impact was the establishment of persistence via web shells and initiating outbound call activity through the compromised PBX environment. Remote access to the system as the `asterisk` user was achievable.
### Detection & Response
- **Discovery:** Shadowserver Foundation revealed the scale (900+ infected instances) in a report presented in late February 2026.
- **Response Actions:** CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) catalog. FreePBX issued advisories recommending updates and hardening of access controls.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2025-64328** (Command Injection).
- **Persistence:** Installation of a web shell, specifically **EncystPHP**, deployed by the INJ3CTOR3 threat actor.
- **Privilege Escalation:** The web shell operates with elevated privileges within the FreePBX/Elastix administrative context.
- **Defense Evasion:** Not explicitly detailed, but maintaining access via hidden web shells bypasses standard security scrutiny.
- **Credential Access:** Not explicitly detailed, but post-authentication access implies credentials were known or bypassed.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Not explicitly detailed beyond the initial host compromise.
- **Collection:** Not explicitly detailed, though initiating outbound calls suggests financial fraud/resource abuse.
- **Exfiltration:** Not explicitly detailed for data, but resource utilization (outbound calls) is confirmed.
- **Impact:** Arbitrary command execution and unauthorized use of VoIP/PBX resources.
## Impact Assessment
- **Financial:** Potential for costs related to unauthorized outbound calling activity and remediation efforts.
- **Data Breach:** Not specified if sensitive data was exfiltrated, but system configuration/control was compromised.
- **Operational:** Disruption due to unauthorized resource use (outbound calling) and required system remediation/downtime.
- **Reputational:** Medium; widespread, ongoing exploitation of a known vulnerability reported by security researchers.
## Indicators of Compromise
- **Network Indicators:** (None provided explicitly in the text; IPs/URLs assumed to be active targets.)
- **File Indicators:** Presence of **EncystPHP** web shells.
- **Behavioral Indicators:** Outbound call activity initiated from compromised PBX systems.
## Response Actions
- **Containment Measures:** Advisories recommend restricting access to the FreePBX Administrator Control Panel (ACP) from hostile networks and ensuring only authorized users have access.
- **Eradication Steps:** The primary recommended action is to **update FreePBX deployments to version 17.0.3** (or CISA/vendor recommended patches) to resolve CVE-2025-64328. Updating the `filestore` module is also advised.
- **Recovery Actions:** Reverting system changes, scanning for persistence mechanisms (web shells), and re-securing administrative interfaces.
## Lessons Learned
- **Key Takeaways:** Post-authentication vulnerabilities, even when patched, can lead to widespread, long-term compromise if organizations fail to quickly apply updates. The severity of command injection flaws in centralized infrastructure like PBX systems cannot be understated.
- **What Could Have Been Done Better:** Organizations running vulnerable software failed to implement crucial mitigation steps recommended in November 2025 before exploitation began in December 2025.
## Recommendations
- Immediately update all Sangoma FreePBX instances to version 17.0.3 or later to patch CVE-2025-64328.
- Implement strict access controls (e.g., internal network only, MFA, strong passwords) for the FreePBX Administration Control Panel (ACP).
- Audit hosts identified as running FreePBX for unauthorized web shells or unexpected outbound communication activity.