About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw. Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025. Sangoma FreePBX is an open-source, web-based platform for managing Asterisk-powered VoIP phone systems. Maintained by Sangoma Technologies, it allows businesses […] About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw. Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025. Sangoma FreePBX is an open-source, web-based platform for managing Asterisk-powered VoIP phone systems. Maintained by Sangoma Technologies, it allows businesses to configure extensions, call routing, voicemail, IVR menus, and SIP trunks through an easy-to-use interface. The campaign exploited a post-authentication command injection vulnerability, tracked as CVE-2025-64328 (CVSS score of 8.6), in the endpoint manager interface, allowing attackers to execute malicious commands and maintain persistent access to compromised systems. “FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function.” reads the advisory. “An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.” The Shadowserver Foundation reports that around 900 FreePBX instances are still compromised and running web shells, likely due to exploitation of CVE-2025-64328 in the endpoint manager. About 400 affected systems are located in the United States, with dozens more in countries including Brazil, Canada, Germany, France, the UK, Italy, and the Netherlands, and smaller numbers spread across other regions. Thanks to collaboration with the Canadian Centre for Cyber Security @cybercentre_ca we can share more comprehensive information on FreePBX instances running webshells, with still over 900 IPs seen compromised.Dashboard Victim overview (Tree map) https://t.co/BZWCm2DweV pic.twitter.com/iytMf9EVaj— The Shadowserver Foundation (@Shadowserver) February 24, 2026
Published: 2026-03-01T10:01:54