APPROXIMATELY 900 Sangoma FreePBX instances were infected with web shells after attackers exploited a post-authentication command injection flaw tracked as CVE-2025-64328 in the endpoint manager interface. The campaign began in December 2025 and researchers say hundreds of FreePBX instances remain compromised, with around 400 located in the United States and dozens more in countries including Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands.
FortiGuard Labs identified a new web shell named EncystPHP in January, capable of remote command execution, persistence, and deployment of further web shells, with the attack chain tied to CVE-2025-64328 and the INJ3CTOR3 threat group. The advisory notes that the vulnerability allows an authenticated user to trigger remote access to the system as an asterisk user, and the issue is fixed in version 17.0.3, according to the Fortinet analysis.
The Shadowserver Foundation reports still over 900 IPs seen compromised, and collaboration with the Canadian Centre for Cyber Security is credited for providing broader context of affected installations.