CVE-2025-64328

What is Sangoma FreePBX?

FreePBX is the most widely deployed open-source web-based GUI for managing Asterisk, the open-source telephony engine. It is used by SMBs, enterprises, and service providers to administer VoIP PBX systems — configuring extensions, trunks, call routing, voicemail, and telephony features through a browser-based administrative interface.

Endpoint Manager is a commercial FreePBX module that handles IP phone provisioning and management. It includes functionality for testing SSH connectivity to managed endpoints — the check_ssh_connect() function in the testconnection action of the filestore module — and it is this function that contains CVE-2025-64328.

FreePBX installations are attractive targets because they sit on the public internet for remote management, have predictable admin panel paths, and are frequently deployed and forgotten with default or weak credentials in SMB environments.

Overview

CVE-2025-64328 is an OS command injection vulnerability (CVSS 7.2) in the FreePBX Endpoint Manager filestore module. An authenticated administrative user can inject arbitrary OS commands through the SSH connectivity test function, gaining command execution as the asterisk operating system user.

The vulnerability was published in November 2025, and active exploitation began within weeks. By February 27, 2026, the Shadowserver Foundation reported over 900 FreePBX instances infected with persistent EncystPHP web shells, deployed by the INJ3CTOR3 threat group — the same actor that previously exploited FreePBX CVE-2019-19006. CISA added it to the KEV catalog on February 3, 2026.

Affected Versions

Technical Details

The check_ssh_connect() function in the Endpoint Manager's filestore module accepts user-controlled input and interpolates it unsanitized into OS commands used to test SSH connectivity to managed endpoints. Attacker-controlled values are passed directly to a shell execution context without escaping, enabling injection of arbitrary shell commands through metacharacters (semicolons, pipes, backticks, command substitution).

Authentication is required but any admin-level account suffices. The injected commands execute as the asterisk system user, which has broad access to PBX configuration, database credentials, and the local filesystem.

CWE-78 (OS Command Injection): User-supplied input is incorporated into a command sent to an OS shell without neutralization of shell metacharacters.

The fix in 17.0.3 sanitizes the SSH test parameters before shell invocation.

Discovery

CVE-2025-64328 was discovered and reported by security researcher M. Cory Billington. FreePBX issued its security advisory and the 17.0.3 patch in November 2025.

Exploitation Context

Active exploitation began December 2025, attributed to INJ3CTOR3 — a threat group with a documented history of targeting FreePBX installations, previously responsible for exploiting CVE-2019-19006 across thousands of systems.

The group deployed the EncystPHP web shell (analyzed by Fortinet FortiGuard Labs). The dropper was delivered from 45.234.176.202. Post-compromise actions were systematic and thorough:

• Locked key system files using chattr +i
• Harvested database credentials from FreePBX configuration
• Deleted cron jobs and user accounts
• Removed rival web shells from competing attackers
• Created a root-level user and reset passwords
• Injected SSH keys for persistent access
• Ensured port 22 remained open
• Fetched additional payloads from remote servers
• Erased log files to impede forensics
• Removed the Endpoint Manager module to eliminate the vulnerability
• Deployed Base64-encoded web shells at multiple locations for redundant persistence

By February 27, 2026, the Shadowserver Foundation reported 900+ FreePBX instances with persistent EncystPHP web shells still installed — many weeks after the patch was available. Geographic concentration: United States, Brazil, Canada, Germany, France.

The INJ3CTOR3 campaign represents a clear pattern: telephony infrastructure is targeted, compromised deeply, and used as a persistent foothold rather than a transient botnet node.

Remediation

1. Upgrade Endpoint Manager to 17.0.3 via the FreePBX Module Admin interface or the fwconsole ma upgrade endpointman CLI command.

2. Check for EncystPHP web shells — scan the FreePBX web root and admin directories for unexpected PHP files, particularly those with Base64-encoded content or obfuscated function calls. Check /var/www/html/admin/modules/ and adjacent directories.

3. Audit user accounts — review /etc/passwd and FreePBX admin users for accounts not created by your team. The INJ3CTOR3 campaign created root-level OS users.

4. Check SSH authorized keys — review /root/.ssh/authorized_keys and the asterisk user's ~/.ssh/authorized_keys for injected keys.

5. Rotate database credentials — the asterisk user has read access to FreePBX's MySQL database which contains SIP credentials, extension configurations, and potentially other sensitive data.

6. Restrict admin panel access — the FreePBX administrative interface should never be directly internet-exposed. Restrict access by IP using firewall rules or place it behind a VPN.

7. Review logs — check Apache/Nginx access logs for POST requests to the filestore module and unexpected requests in the /admin/ajax.php or module-specific endpoints. Log files may have been cleared by the attacker; check filesystem modification timestamps.