Over 900 Sangoma FreePBX Instances Compromised via Command Injection Flaw
Take action: If you use FreePBX, plan a very quick update to version 17.0.3 and make sure your admin panel is isolated from the internet. Your FreePBX is already attacked.
Learn More
CISA reports active exploitation of a command injection vulnerability in Sangoma FreePBX. The Shadowserver Foundation reported that attacks began in December 2025, primarily targeting systems in the United States, Brazil, and Canada and currently records over 900 instances infected with web shells.
The vulnerability is tracked as CVE-2025-64328 (CVSS score 8.6) - A post-authentication command injection vulnerability in the FreePBX Administration panel. The flaw allows an authenticated user to inject and run arbitrary shell commands on the underlying host system by manipulating inputs within the administrative interface. Attackers leverage this to gain remote access as the 'asterisk' user, effectively bypassing standard security boundaries to execute code with the privileges of the telephony service.
Threat actors like the INJ3CTOR3 group use this flaw to deliver the EncystPHP web shell, which runs with elevated privileges to initiate outbound call activity. This can lead to significant financial expenses through premium-rate number dialing and provides a foothold for lateral movement within corporate networks or data exfiltration from the compromised host.
Vulnerability affects Sangoma FreePBX versions 17.0.2.36 and higher.
Sangoma released FreePBX version 17.0.3 and recommends that all users update their deployments immediately. Administrators should also update the filestore module to the latest version and implement strict access controls for the Administrator Control Panel (ACP).
