Approximately 900 Sangoma FreePBX instances remain infected with web shells after attackers exploited CVE-2025-64328 to deploy the EncystPHP backdoor starting in December 2025. Organizations are urged to update the filestore module, restrict administrative access, and block known malicious sources to contain the INJ3CTOR3 campaign. #EncystPHP #INJ3CTOR3
Keypoints
- Roughly 900 Sangoma FreePBX instances remain infected with web shells following attacks that began in December 2025.
- The attacks exploited CVE-2025-64328, a post-authentication command injection in the filestore module patched in November 2025.
- The threat actor INJ3CTOR3 has been deploying the EncystPHP web shell to achieve persistent remote command execution.
- The Shadowserver Foundation reports about 400 compromised instances in the United States and dozens in several other countries.
- Administrators should update the filestore module, restrict access to the administrative panel, and block known malicious sources.
Read More: https://www.securityweek.com/900-sangoma-freepbx-instances-infected-with-web-shells/