Researchers report FreePBX exploitation: 900+ systems compromised

Threat summary

Researchers at the Shadowserver Foundation reported observing more than 900 Sangoma FreePBX instances infected with persistent web shells as of February 2026.

The intrusions are tied to the exploitation of CVE-2025-64328, a post-authentication command-injection vulnerability in the FreePBX Endpoint Manager filestore module.

According to the NVD, the flaw affects versions 17.0.2.36 and above, up to but not including 17.0.3. The flaw is a result of the filestore component’s SSH test-connection function improperly handling user-supplied input, enabling arbitrary command execution on the underlying host. The vulnerability carries a CVSS score of 8.6 and is categorized as high severity.

A January 2026 report from Fortinet attributed part of this activity to the threat actor INJ3CTOR3, which has been deploying a weaponized web shell known as EncystPHP on vulnerable FreePBX systems. The group uses the web shell to maintain long-term access, execute arbitrary commands, and potentially pivot deeper into victim networks.

Shadowserver’s telemetry shows that exploitation began in December 2025 and continues, despite patches being released in November 2025. This suggests that many deployments either remain unpatched or were compromised before updates were applied. The infections are globally distributed, with the United States, Brazil, Canada, Germany, and France hosting the largest number of affected systems.

Exploitation occurs when a threat actor authenticates to a FreePBX system running one of these vulnerable versions and can reach the administrative interface over the network. Once authenticated, the threat actor can trigger the flaw to inject commands and gain remote access as the asterisk user, the dedicated service account that runs the Asterisk telephony engine and controls core PBX operations.

Analysis & recommendations

FreePBX Endpoint Manager is widely deployed across managed service providers, small and mid‑sized businesses, and enterprise voice environments, making the exposure particularly impactful.

In the worst‑case scenario, compromise enables full control of voice infrastructure, manipulation or interception of call flows, and use of the PBX host as a foothold for broader intrusion. Although exploitation requires authentication, exposed interfaces and weak or reused credentials significantly increase the likelihood of compromise. The difficulty of exploitation is moderate: authentication is required, but does not require elevated privileges beyond access to the affected module.

Reducing exposure requires restricting access to the FreePBX Administration Panel to trusted networks through firewall rules, applying the official patch for CVE-2025-64328, and ensuring the emergency EDGE module fix is in place for older deployments.

Recovery efforts should include a full integrity review of affected systems, removal of unauthorized web shells, and validation of configuration files. Monitoring for command‑execution patterns and unexpected outbound connections increases the likelihood of detecting ongoing compromise.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up