OVER 900 Sangoma FreePBX instances remain infected with web shells as part of ongoing attacks that exploited CVE-2025-64328, a high-severity post-authentication command injection flaw, according to the Shadowserver Foundation. Of these compromised hosts, 401 are in the United States, followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France.
The advisory notes that exploitation could allow arbitrary shell commands on the underlying host, enabling remote access to the system as the asterisk user, and Fortinet FortiGuard Labs has linked the activity to the INJ3CTOR3 threat actor delivering a web shell named EncystPHP. The vulnerability affects FreePBX versions 17.0.2[.]36 and earlier, was fixed in 17.0.3, and has prompted guidance to limit ACP access, restrict network access to the administrator panel, and update the filestore module. The U.S.
Cybersecurity and Infrastructure Security Agency has since added CVE-2025-64328 to its KEV catalog, as the flaw remains actively exploited in the wild. Source: The Shadowserver Foundation.