What's Happening?
Approximately 900 instances of Sangoma FreePBX, a widely used management tool for Asterisk-based IP telephone systems, have been compromised by web shells. The attacks exploited a command injection vulnerability, CVE-2025-64328, in the endpoint manager's
interface. This vulnerability, which was patched in November 2025, allows attackers to execute arbitrary shell commands and gain remote access. The hacking group INJ3CTOR3 has been identified as exploiting this flaw to deploy a web shell called EncystPHP, providing persistent access and remote command execution capabilities. The U.S. cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities list.
Why It's Important?
The widespread compromise of FreePBX instances poses significant security risks to organizations using these systems. The ability of attackers to gain remote access and execute commands can lead to data breaches, service disruptions, and potential financial losses. The incident highlights the importance of timely patching and robust security measures in protecting critical infrastructure. It also underscores the ongoing threat posed by cybercriminal groups exploiting known vulnerabilities. Organizations using FreePBX must assess their systems for potential compromise and implement necessary security updates to mitigate risks.
What's Next?
Organizations using FreePBX are advised to update their systems to the latest version and restrict access to the administrative panel. Security teams should monitor for signs of compromise and take steps to remove any unauthorized access. The incident may prompt further scrutiny of open-source telephony systems and their security practices. Cybersecurity agencies and experts will likely continue to track the activities of the INJ3CTOR3 group and similar threats. The situation serves as a reminder of the evolving nature of cyber threats and the need for proactive security measures.
