APPROXIMATELY 900 Sangoma FreePBX instances remain infected with web shells in attacks that exploited a post-authentication command injection vulnerability starting December 2025. The exploited bug, tracked as CVE-2025-64328 (CVSS 8.6) and patched in November 2025, impacts the filestore module of the endpoint manager’s administrative interface.
Described as a post-authentication command injection issue, the flaw allows an attacker logged in as any user with interface access to execute arbitrary shell commands on the underlying host and gain remote access to the system. According to Fortinet, a hacking group tracked as INJ3CTOR3 had been exploiting CVE-2025-64328 for over a month to deploy a web shell called EncystPHP, which provides remote command execution, persistent access, and web shell deployment capabilities.
The Shadowserver Foundation says that approximately 900 FreePBX instances remain compromised and running web shells, with about 400 in the United States and smaller numbers in several other countries. Users are advised to update the filestore module to the latest version, restrict access to the administrative panel to authorised users, and block access from known malicious sources.