Listen to this Post
Introduction: A Lingering Breach That Refuses to Die
A major cybersecurity incident that began quietly in late 2025 is still unfolding well into 2026. More than 900 internet-exposed FreePBX servers remain compromised months after attackers first exploited a critical vulnerability, raising serious questions about patching discipline, visibility gaps, and the long-term risks of neglected infrastructure. The attacks, linked to a threat actor known as INJ3CTOR3, are not just about data theft—they enable persistent remote control, command execution, and even unauthorized outbound phone calls, turning business phone systems into covert cyber weapons.
the Original Report
In December 2025, attackers began exploiting CVE-2025-64328, a high-impact vulnerability affecting Sangoma’s FreePBX systems. The flaw allowed unauthenticated attackers to upload malicious files and execute arbitrary commands on vulnerable servers. As part of the campaign, attackers deployed EncystPHP web shells, a lightweight but powerful backdoor that grants persistent remote access through a simple web interface.
Despite public disclosure and available patches, monitoring in February 2026 shows that more than 900 FreePBX instances remain infected. These compromised systems continue to communicate outbound, execute attacker-controlled commands, and in some cases place unauthorized phone calls—potentially generating financial losses while masking malicious activity as legitimate VoIP traffic.
Security researchers attribute the activity to a threat actor tracked as INJ3CTOR3, who appears to specialize in mass exploitation of exposed services rather than targeted intrusions. The scale of infection suggests automated scanning and exploitation, followed by minimal post-exploitation effort—just enough persistence to maintain long-term access.
The report highlights a recurring cybersecurity problem: vulnerabilities may be patched on paper, but in reality, thousands of systems remain unmaintained, unmonitored, and silently compromised long after the headlines fade.
What Undercode Say:
The most alarming aspect of this incident is not the vulnerability itself—it’s the duration and persistence of the compromise. When over 900 systems remain infected months after disclosure, the issue is no longer about zero-days or elite attackers. It becomes a systemic failure in operational security.
FreePBX is widely deployed by small and mid-sized businesses that often lack dedicated security teams. These environments frequently expose management interfaces directly to the internet, rarely enforce strict access controls, and delay updates due to fear of service disruption. Attackers like INJ3CTOR3 thrive in exactly this ecosystem: high volume, low resistance, minimal detection.
EncystPHP web shells are especially dangerous because they blend in. They consume little resources, generate limited logs, and can survive reboots and partial cleanups. Once installed, they allow attackers to return at will, pivot into internal networks, or monetize access through toll fraud—an old but still lucrative technique in VoIP attacks.
Another under-discussed risk is reputational and legal exposure. Compromised phone systems can be used to launch scams, robocalls, or even social engineering attacks that appear to originate from legitimate businesses. Victims may never realize their infrastructure was abused until regulators or telecom providers get involved.
This case also underscores a broader industry problem: vulnerability disclosure does not equal remediation. Security advisories assume a level of maturity many organizations simply don’t have. Without automated patching, continuous asset discovery, and external attack-surface monitoring, known vulnerabilities effectively become permanent backdoors.
From a threat-intelligence perspective, INJ3CTOR3 does not need sophistication. Scale is the strategy. As long as thousands of exposed systems exist, even a low-effort exploit can yield long-term control over critical communications infrastructure. That should deeply concern anyone responsible for enterprise IT or telecom systems.
🔍 Fact Checker Results
✅ CVE-2025-64328 exploitation began in December 2025 and targets FreePBX systems.
✅ EncystPHP web shells are confirmed on hundreds of unpatched instances.
❌ No evidence suggests victims were fully remediated without manual cleanup and reinstallation.
📊 Prediction
📉 The number of infected FreePBX servers will decline slowly, not rapidly, due to poor patch adoption.
📞 VoIP toll fraud and outbound call abuse will increase as attackers maintain access.
🔁 Similar mass-exploitation campaigns will target other exposed telecom platforms throughout 2026.
Entities referenced:
Sangoma
INJ3CTOR3
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
