Vulnerabilities 900 Sangoma FreePBX Instances Infected With Web Shells The attacks exploited a post-authentication command injection vulnerability in the endpoint manager’s interface. By Ionut Arghire | February 27, 2026 (8:24 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Approximately 900 Sangoma FreePBX instances remain infected with web shells in attacks that exploited a command injection vulnerability starting December 2025. Sangoma FreePBX is a web-based, open source graphical user interface that serves as a widely deployed management tool for Asterisk-based IP telephone systems. The exploited bug, tracked as CVE-2025-64328 (CVSS score of 8.6) and patched in November 2025, impacts the filestore module of the endpoint manager’s administrative interface. Described as a post-authentication command injection issue, the flaw allows an attacker logged in as any user with access to the interface to execute arbitrary shell commands on the underlying host and gain remote access to the system. Last month, Fortinet revealed that a hacking group tracked as INJ3CTOR3 had been exploiting CVE-2025-64328 for over a month to deploy a web shell called EncystPHP. The web shell provides the attackers with remote command execution, persistent access, and web shell deployment capabilities. Advertisement. Scroll to continue reading. “These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments. We assess that this campaign represents recent attack activity and behavior patterns associated with INJ3CTOR3,” Fortinet said. A week later, the US cybersecurity agency CISA added the CVE to its Known Exploited Vulnerabilities (KEV) list alongside CVE-2019-19006, another FreePBX bug exploited by the same hacking group. Now, non-profit organization The Shadowserver Foundation says that approximately 900 FreePBX instances remain compromised and are running web shells. The endpoint manager deployments were likely compromised via CVE-2025-64328, it notes. Most of the compromised instances (roughly 400) are in the US, data from The Shadowserver Foundation shows . Dozens of instances are in Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands, and smaller numbers in many other countries. Users are advised to update the filestore module in their FreePBX deployments to the latest version, to restrict access to the administrative panel to authorized users, and to block access from known malicious sources. Related: Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Related: Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking Related: SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown Related: Zyxel Patches Critical Vulnerability in Many Device Models Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers SolarWinds Patches Four Critical Serv-U Vulnerabilities Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia CarGurus Data Breach Impacts Over 12 Million Users Astelia Raises $35 Million for Exposure Management Latest News Chilean Carding Shop Operator Extradited to US Anthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears Deadline Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Juniper Networks PTX Routers Affected by Critical Vulnerability Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking Apple iPhone and iPad Cleared for Classified NATO Use Four Risks Boards Cannot Treat as Background Noise Claude Code Flaws Exposed Developer Devices to Silent Hacking Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move BreachRx has named Young-Sae Song as Chief Marketing Officer. Titania has appointed Andrew Woodford as Chief Technology Officer. Menlo Security has named Bill Robbins as Chief Executive Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email