CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ongoing Web Shell Attacks on Sangoma FreePBX Instances via CVE-2025-64328

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Over 900 Sangoma FreePBX instances remain compromised with web shells due to the exploitation of CVE-2025-64328, a high-severity command injection vulnerability. The attacks, ongoing since December 2025, have affected instances globally, with the highest concentrations in the U.S., Brazil, Canada, Germany, and France. The vulnerability allows post-authentication command injection, enabling remote access as the asterisk user. The U.S. CISA has added this vulnerability to its KEV catalog, and Fortinet has linked the attacks to the threat actor INJ3CTOR3, who uses a web shell named EncystPHP.

Timeline

  1. 27.02.2026 19:59 1 articles · 2h ago

    CVE-2025-64328 Exploited in Ongoing Attacks on FreePBX Instances

    Over 900 Sangoma FreePBX instances remain compromised with web shells due to the exploitation of CVE-2025-64328. The attacks, ongoing since December 2025, have affected instances globally, with the highest concentrations in the U.S., Brazil, Canada, Germany, and France. The U.S. CISA has added the vulnerability to its KEV catalog, and Fortinet has linked the attacks to the threat actor INJ3CTOR3, who uses the EncystPHP web shell.

    Show sources
    Open in new tab

Information Snippets