The Shadowserver Foundation has found that more than 900 Sangoma FreePBX instances remain infected with web shells after attackers began exploiting a post-authentication command injection vulnerability (CVE-2025-64328) in December 2025. Fortinet links the intrusions to threat actor INJ3CTOR3 delivering the EncystPHP web shell, which enables arbitrary command execution and outbound PBX call activity; organizations are urged to update to FreePBX 17.0.3, restrict ACP access, and update the filestore module. #EncystPHP #INJ3CTOR3 #CVE-2025-64328 #FreePBX #Sangoma
Keypoints
- Over 900 Sangoma FreePBX instances remain infected with web shells after exploitation began in December 2025.
- 401 compromised hosts are in the United States, with Brazil (51), Canada (43), Germany (40), and France (36) also affected.
- The attacks exploit CVE-2025-64328, a post-auth command injection bug affecting FreePBX versions >=17.0.2.36, fixed in 17.0.3.
- Fortinet attributes EncystPHP deployments to INJ3CTOR3, which uses FreePBX/Elastix admin contexts to run elevated commands and trigger outbound calls.
- Mitigations include upgrading to FreePBX 17.0.3, updating the filestore module, and restricting/controlling access to the FreePBX Administration Control Panel.
Read More: https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html