Executive Summary

A significant and ongoing cyberattack campaign has resulted in the compromise of over 900 instances of Sangoma FreePBX, a widely deployed open-source VoIP PBX platform. Attackers are exploiting a critical post-authentication command injection vulnerability, CVE-2025-64328, to deploy persistent PHP-based web shells, most notably EncystPHP, on vulnerable systems. This campaign, tracked by organizations such as Shadowserver and Fortinet, is global in scope, with the highest concentration of infections in the United States, Brazil, Canada, Germany, and France. The exploitation enables adversaries to execute arbitrary commands, establish persistent access, conduct outbound call fraud, and potentially pivot deeper into affected networks. The vulnerability is now included in the CISA Known Exploited Vulnerabilities (KEV) Catalog, underscoring its severity and the urgency for immediate remediation.

Threat Actor Profile

The primary threat actor identified in this campaign is INJ3CTOR3, as reported by Fortinet FortiGuard Labs. This actor is leveraging the CVE-2025-64328 vulnerability to deploy the EncystPHP web shell, facilitating ongoing remote access and command execution. While there is no definitive attribution to a nation-state Advanced Persistent Threat (APT), the tactics, techniques, and procedures (TTPs) observed are consistent with those used by groups specializing in VoIP infrastructure attacks, such as APT41 and UNC1878. These groups are known for targeting telecommunications and VoIP systems for both espionage and financially motivated campaigns, including ransomware and call fraud. The campaign demonstrates a high degree of automation and opportunism, with attackers scanning for vulnerable, internet-facing FreePBX instances and exploiting them en masse.

Technical Analysis of Malware/TTPs

The core of the attack leverages CVE-2025-64328, a post-authentication command injection vulnerability present in FreePBX versions 17.0.2.36 up to, but not including, 17.0.3. Authenticated users with access to the FreePBX Administration Panel can execute arbitrary shell commands as the asterisk user. Attackers exploit this flaw to upload PHP-based web shells, such as EncystPHP, into the web root directory (commonly /var/www/html/admin/). Once deployed, these web shells provide a persistent foothold, allowing adversaries to execute system commands, manipulate files, create new administrative users, and establish additional backdoors.

The attack chain typically begins with reconnaissance, where attackers scan for internet-exposed FreePBX instances. Upon identifying a target, they attempt to authenticate—either by exploiting weak credentials or leveraging previously compromised accounts. Once authenticated, the attacker exploits CVE-2025-64328 to upload and execute the web shell. The web shell is then used for post-exploitation activities, including outbound call fraud, lateral movement within the network, data exfiltration, and deployment of further malware.

The EncystPHP web shell is a lightweight, obfuscated PHP script that provides a web-based command interface. It is capable of executing arbitrary system commands, uploading and downloading files, and modifying system configurations. The presence of such a shell is a critical indicator of compromise, as it enables attackers to maintain persistent access even if initial vulnerabilities are patched.

The campaign’s TTPs map to several MITRE ATT&CK techniques: Initial access is achieved via T1190 (Exploit Public-Facing Application), execution is performed through T1059 (Command and Scripting Interpreter), persistence is maintained with T1505.003 (Web Shell), credential access may involve T1110 (Brute Force), and lateral movement is facilitated by T1021 (Remote Services).

Exploitation in the Wild

Active exploitation of CVE-2025-64328 has been observed since at least December 2025. Security researchers from Shadowserver and Fortinet have documented widespread scanning and exploitation activity, with over 900 unique FreePBX instances confirmed compromised as of February 2026. The majority of affected systems are located in the United States, with significant numbers also in Brazil, Canada, Germany, and France. Attackers are leveraging automated tools to identify and exploit vulnerable systems at scale.

Once compromised, affected FreePBX servers exhibit signs of outbound call fraud, where attackers use the PBX infrastructure to place unauthorized calls, often to premium-rate numbers for financial gain. In addition, the persistent web shells allow attackers to escalate privileges, move laterally within the network, and deploy additional malware, including ransomware or data exfiltration tools. The campaign is ongoing, with new infections being reported daily, and the vulnerability has been added to the CISA KEV Catalog due to its active exploitation in the wild.

Victimology and Targeting

The victim profile for this campaign is broad, encompassing organizations of all sizes that operate internet-facing FreePBX instances. The highest concentration of victims is in the United States, followed by Brazil, Canada, Germany, and France. Affected organizations span multiple sectors, including telecommunications, healthcare, education, and small to medium-sized enterprises. The opportunistic nature of the campaign suggests that attackers are not targeting specific organizations but are instead exploiting any vulnerable FreePBX instance they can identify.

The attack surface is expanded by the prevalence of outdated or unpatched FreePBX installations, weak administrative credentials, and exposed management interfaces. Organizations that have not restricted access to the FreePBX Administration Panel or have failed to apply the latest security updates are at greatest risk. The use of automated scanning and exploitation tools enables attackers to compromise large numbers of systems rapidly, with little regard for the victim’s industry or geographic location.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by this campaign. Organizations running FreePBX versions 17.0.2.36 up to, but not including, 17.0.3 must upgrade to FreePBX 17.0.3 or later without delay, as this version contains the necessary patch for CVE-2025-64328. Access to the FreePBX Administration Panel should be restricted to trusted IP addresses, ideally via VPN or network segmentation, to reduce the attack surface.

Administrators should review all user accounts and remove any unauthorized or suspicious administrative users. Strong, unique passwords must be enforced for all accounts, and multi-factor authentication should be enabled where possible. Regular monitoring of web server directories for unfamiliar PHP files, such as encyst.php, is essential for early detection of web shells. File integrity monitoring and endpoint detection and response (EDR) solutions can aid in identifying unauthorized changes and malicious activity.

Comprehensive log review is critical. Administrators should examine FreePBX and web server logs for evidence of suspicious authentication attempts, command execution, or file uploads. Outbound network connections from PBX servers should be monitored for communication with known malicious IP addresses. If compromise is suspected, affected systems should be isolated from the network, and a full forensic investigation should be conducted.

Organizations are encouraged to consult the following references for detailed remediation guidance and to stay informed about ongoing developments: The CISA Known Exploited Vulnerabilities Catalog, Sangoma Security Advisories, Shadowserver Foundation reports, and community discussions on LinkedIn and Reddit.

References

• NVD - CVE-2025-64328

• FreePBX Security Advisory

• Shadowserver Foundation Report

• The Hacker News Coverage

• SecurityWeek Article

• CISA Known Exploited Vulnerabilities Catalog

• LinkedIn - FreePBX Attack Discussions

• Reddit - r/netsec FreePBX Thread

• Exploit-DB - FreePBX RCE

• Metasploit Module Example

• RedTeam Pentesting - FreePBX Exploitation

About Rescana

Rescana is a leader in third-party risk management and cyber threat intelligence. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain and IT infrastructure. By leveraging advanced analytics and real-time threat intelligence, Rescana enables proactive defense against emerging cyber threats. For more information about how our TPRM platform can help secure your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.