Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)

Exploitation Wave
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

More than 900 Sangoma FreePBX instances remain web-shell infected after an ongoing exploitation wave tied to CVE-2025-64328. The affected systems span the U.S., Brazil, Canada, Germany, and France, showing broad geographic reach. The flaw enables post-authentication command injection and has already been added to CISA's KEV catalog because it is actively exploited in the wild.

Related Happenings

Zimbra Collaboration Suite actively exploited XSS flaw (CVE-2025-48700)

Vulnerability
First: 24.04.2026 16:35 Last: 24.04.2026 16:35 Sources 1

About this happening: **CVE-2025-48700** is an **actively exploited XSS flaw** in **Zimbra Collaboration Suite (ZCS)** that can let unauthenticated attackers run JavaScript inside a user's session and...

Open Happening

Oracle Identity Manager and Oracle Web Services Manager unauthenticated RCE (CVE-2026-21992)

Vulnerability
First: 20.03.2026 20:48 Last: 20.03.2026 20:48 Sources 1

About this happening: Oracle issued an **out-of-band update** to fix **CVE-2026-21992**, a **critical unauthenticated remote code execution** flaw in **Oracle Identity Manager** and **Oracle Web Servic...

Open Happening

UniFi Network Application path traversal flaw (CVE-2026-22557)

Vulnerability
First: 19.03.2026 15:00 Last: 19.03.2026 15:00 Sources 1

About this happening: **CVE-2026-22557** in the **UniFi Network Application** is a **path traversal** flaw affecting **version 10.1.85 and earlier** that can expose files and enable **possible account...

Open Happening

GNU InetUtils telnetd pre-auth buffer overflow (CVE-2026-32746)

Vulnerability
First: 18.03.2026 07:06 Last: 18.03.2026 07:06 Sources 1

About this happening: A **critical CVE-2026-32746** flaw in **GNU InetUtils telnetd** lets an **unauthenticated attacker** trigger **remote code execution as root** over **port 23**, exposing internet-...

Open Happening

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

Timeline

  1. 27.02.2026 19:59 2 articles · 2mo ago

    Shadowserver reports ongoing FreePBX web-shell infections

    Campaign Scope Update

    Shadowserver Foundation says more than 900 Sangoma FreePBX instances remain infected with web shells after exploitation of CVE-2025-64328, a post-authentication command injection flaw affecting FreePBX versions higher than and including 17.0.2.36 and fixed in 17.0.3. The affected systems include 401 in the U.S., 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France, and FreePBX users are advised to restrict ACP access, block hostile networks, update the filestore module, and upgrade to 17.0.3 or later.

    Show sources
    Open in new tab