Listen to this Post
A Persistent Threat Lurking Inside VoIP Networks
A silent compromise continues to ripple through enterprise phone systems worldwide. Months after attackers began exploiting a serious vulnerability in Sangoma FreePBX, hundreds of instances remain infected with stealthy web shells. What began in December 2025 as a targeted campaign has evolved into a prolonged security crisis, leaving nearly 900 systems still under potential attacker control. Despite patches and public advisories, the digital footprints of this breach remain embedded deep within corporate VoIP infrastructures.
Widespread Infection Through CVE-2025-64328 Exploitation
The campaign centered on a high-severity vulnerability identified as CVE-2025-64328, carrying a CVSS score of 8.6. The flaw existed within the Endpoint Manager module of FreePBX, specifically in the filestore component of the administrative interface. In versions 17.0.2.36 and later, prior to 17.0.3, authenticated users could exploit a command injection weakness through the testconnection and check_ssh_connect function.
This was not a remote unauthenticated exploit. It required login access. Yet once inside, attackers could execute arbitrary commands as the asterisk user, effectively transforming a routine administrative module into a remote access gateway.
Global Impact Across Critical Business Systems
According to intelligence shared by the Shadowserver Foundation, approximately 900 FreePBX systems are still compromised and actively running web shells. Around 400 affected systems are located in the United States, with additional infections reported across Brazil, Canada, Germany, France, the United Kingdom, Italy, and the Netherlands. Smaller clusters appear in other regions, signaling a global footprint.
The scale of exposure is concerning. FreePBX powers countless business telephony environments, including customer service centers, healthcare providers, logistics firms, and financial institutions. When a VoIP management layer is compromised, the potential impact extends beyond phone disruptions. Attackers can pivot deeper into corporate networks.
INJ3CTOR3 and the Return of Familiar Tactics
Researchers link the campaign to the threat actor known as INJ3CTOR3, a group with a documented history of targeting FreePBX and Elastix systems. Their strategy followed a predictable pattern. Identify a vulnerability, exploit it rapidly, and implant a persistent PHP-based web shell.
The simplicity of the method underscores a harsh truth. Attackers often do not need zero-day exploits when patch management lags behind.
EncystPHP: A Stealthy and Aggressive Web Shell
In January, researchers from FortiGuard Labs uncovered a newly deployed web shell named EncystPHP. Delivered through exploitation of CVE-2025-64328, the malware acted as both dropper and persistence mechanism.
The malicious payload was downloaded from the IP address 45.234.176.202, resolving to the domain crm.razatelefonia.pro. Once executed, EncystPHP did far more than establish remote command execution. It aggressively restructured compromised environments to ensure exclusive control.
The malware locked critical files, harvested database configuration details, deleted cron jobs and legitimate user accounts, and even removed competing web shells. It created a root-level account, reset system passwords, injected an SSH key, and ensured port 22 remained open to guarantee long-term access.
Defense Evasion and Log Manipulation
EncystPHP demonstrated deliberate operational discipline. After deployment, it erased logs to minimize forensic traces, removed the vulnerable Endpoint Manager module to mask the original attack vector, and restored file permissions to blend in with legitimate system configurations.
It also fetched additional payloads, expanding the compromise beyond a single web shell. Base64-encoded web shells were deployed to reinforce persistence, effectively layering access mechanisms. The attackers were not simply breaching systems. They were fortifying them for long-term occupation.
CISA Recognition and Ongoing Risk
In early February, the Cybersecurity and Infrastructure Security Agency added CVE-2025-64328 to its Known Exploited Vulnerabilities catalog. Inclusion in this list confirms active exploitation in the wild and highlights the urgency of remediation.
Yet months after disclosure and patch availability in version 17.0.3, hundreds of instances remain exposed. This gap between patch release and patch adoption continues to define modern cybersecurity risk.
What Undercode Say:
The persistence of nearly 900 compromised systems months after public disclosure is not simply a patch management failure. It is a structural vulnerability in how organizations treat telephony infrastructure.
VoIP platforms often sit in a gray zone between IT and telecom departments. They are essential but rarely prioritized. Security budgets focus on cloud environments, endpoint detection, and perimeter firewalls. Meanwhile, on-premise PBX systems quietly operate with limited monitoring.
CVE-2025-64328 required authentication. That detail is crucial. It suggests either credential compromise, insider misuse, or previously breached access layers. This was not random internet scanning alone. It indicates layered weaknesses.
The attackers’ decision to remove competing web shells signals something else. This was not smash-and-grab exploitation. It was controlled territory acquisition. The threat actor aimed to monopolize compromised hosts, possibly for resale, botnet inclusion, or future ransomware deployment.
EncystPHP’s behavior reflects operational maturity. Log wiping, SSH persistence, privilege escalation, and module removal indicate an understanding of forensic response workflows. The attacker anticipated incident response procedures and preemptively disrupted them.
There is also a strategic motive in targeting VoIP systems. Phone infrastructure provides intelligence value. Call metadata, voicemail storage, SIP credentials, and internal extension mapping reveal organizational structure. That intelligence can be weaponized for social engineering, business email compromise, or executive impersonation campaigns.
Another overlooked dimension is lateral movement. FreePBX often integrates with LDAP directories, CRM platforms, and billing systems. Once attackers gain shell access as the asterisk user and escalate to root, internal reconnaissance becomes straightforward.
The removal of the Endpoint Manager module after exploitation is a subtle but powerful tactic. It not only hides the attack vector but complicates patch validation audits. Administrators might assume the module was intentionally disabled, delaying forensic awareness.
The global distribution of infected hosts highlights the universal challenge of open-source infrastructure maintenance. Open-source does not mean insecure. But it does demand active lifecycle management. Organizations that deploy community-driven platforms without structured update policies create exposure windows that threat actors exploit with precision.
The addition of the vulnerability to CISA’s KEV catalog raises another issue. Federal contractors and regulated industries are required to remediate KEV-listed vulnerabilities within strict timelines. If hundreds of systems remain compromised, compliance oversight mechanisms may also be lagging.
The long-term risk is not limited to telephony disruption. Persistent root-level access can transform these servers into staging nodes for broader attacks. Data exfiltration, credential harvesting, and internal pivoting become realistic outcomes.
Ultimately, the incident underscores a recurring cybersecurity truth. Attackers move faster than patch cycles. The real differentiator is not the existence of vulnerabilities. It is the speed of detection, response, and disciplined update management.
Organizations that treat VoIP as infrastructure rather than software overlook its exposure surface. In a modern enterprise, every management interface is a potential command execution vector.
This breach is not merely a technical flaw in a module. It is a reminder that authenticated access is not equivalent to safe access. Trust boundaries must be reinforced with monitoring, logging integrity, and privileged account auditing.
Until companies implement continuous vulnerability scanning, segmented network architecture, and automated patch enforcement, similar campaigns will continue to succeed with predictable efficiency.
Fact Checker Results
✅ CVE-2025-64328 is a post-authentication command injection vulnerability affecting FreePBX Endpoint Manager versions prior to 17.0.3.
✅ Around 900 instances were reported as compromised, with approximately 400 located in the United States.
✅ The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog after active exploitation was confirmed.
Prediction
📊 Continued exploitation attempts are likely against unpatched FreePBX deployments, especially in small and mid-sized enterprises with limited IT oversight.
📊 Threat actors may evolve EncystPHP into modular toolkits for lateral movement and data exfiltration.
📊 Regulatory pressure and KEV enforcement will accelerate patch adoption, but dormant web shells may remain undetected for months.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
