Exploitation of Vulnerable FreePBX Systems Increases Threat Landscape
Cybercriminals are targeting misconfigured and unpatched VoIP infrastructures, leading to compromises of over 900 Sangoma FreePBX systems. This trend, identified by The Shadowserver Foundation, revolves around the deployment of EncystPHP, a malicious PHP-based web shell, leveraging a post-authentication command injection vulnerability in FreePBX environments.
The current campaign exemplifies how a diverse group of attackers is utilizing the vulnerabilities inherent in exposed PBX systems for various malicious purposes, including privilege escalation and unauthorized call operation. The presence of attacks occurring globally, particularly in the U.S., Brazil, Canada, Germany, and France, indicates a significant risk for organizations relying on FreePBX systems. The exploitation of the CVE-2025-64328 command injection vulnerability enables attackers to execute arbitrary commands as the asterisk service user, gaining substantial control over the system.
EncystPHP is key to the attackers’ operations, providing an interface for remote execution that allows adversaries to manipulate files, execute commands, and maintain long-term persistence on compromised systems. This web shell converts affected FreePBX servers into controllable nodes, leading to unauthorized outbound call activity and resource hijacking. The methodology indicates a deliberate strategic shift towards leveraging VoIP infrastructures for extending malicious campaigns and enhancing persistent access.
Defensive Context
Organizations with FreePBX installations exposed to the internet should be particularly vigilant. Misconfigurations that permit authenticated access can significantly escalate risks. However, businesses with secure configurations and restricted administrative access are less likely to face immediate threats from this activity. The focus should remain on industries heavily relying on VoIP services, as they are at a higher risk of operational disruption and financial fraud.
Why This Matters
The exploitation of FreePBX systems underscores the need for businesses to assess the security of their telecom operations. Organizations with VoIP systems facing unauthorized access have a greater chance of experiencing the ramifications of such attacks, including toll fraud and service outages, which can critically impact operational continuity.
Defender Considerations
Stakeholders should prioritize updating FreePBX systems to version 17.0.3, where the command injection vulnerability has been mitigated. Additionally, limiting access to the FreePBX Administrative Control Panel to trusted networks can help reduce exposure. Organizations should perform thorough scans for unauthorized PHP files and analyze logs for suspicious activity to identify and rectify any potential compromises.
Indicators of Compromise (IOCs)
- CVE-ID: CVE-2025-64328
- File System IOCs:
- /etc/freepbx.conf (missing or modified)
- /var/www/html/.clean.sh (presence)
- Log-Based IOCs:
- Suspicious POST requests to modular.php
- Unauthorized calls to extension 9998
