"The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host. An attacker could leverage this to obtain remote access to the system as the asterisk user."
"By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment."
"The vulnerability affects FreePBX versions higher than and including 17.0.2.36. It was resolved in version 17.0.3. As mitigations, it's advised to add security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP), restrict access from hostile networks to the ACP, and update the filestore module to the latest version."
The Shadowserver Foundation identified over 900 Sangoma FreePBX instances still infected with web shells following attacks exploiting CVE-2025-64328, a high-severity command injection vulnerability. The U.S. accounts for 401 compromised instances, with additional infections in Brazil, Canada, Germany, and France. The vulnerability affects FreePBX versions 17.0.2.36 and higher, allowing post-authentication command injection that enables arbitrary shell command execution with asterisk user privileges. The flaw was resolved in version 17.0.3. Threat actors from the INJ3CTOR3 operation have actively exploited this vulnerability since early December 2025 to deploy EncystPHP web shells, gaining elevated privileges and enabling arbitrary command execution and outbound call activity through compromised PBX environments. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog.
#freepbx-security #web-shell-infections #cve-2025-64328 #command-injection-vulnerability #active-exploitation
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]