Cybersecurity researchers recently uncovered a massive breach affecting more than nine hundred Sangoma FreePBX instances across North America and South America, signaling a major shift in how threat actors target voice-over-IP infrastructure. This ongoing campaign utilizes a high-severity vulnerability to gain control over communication servers, leaving organizations vulnerable to data theft and financial exploitation.
The Global Reach of the FreePBX Mass Compromise
The scale of this campaign spans multiple continents, with a heavy concentration of victims in the United States, Canada, and Brazil. This widespread exploitation highlights the vulnerability of communication systems that organizations often overlook during routine security audits.
Because these instances are frequently connected to the public internet for remote administration, they provide an attractive entry point for hackers seeking to execute remote commands. The impact of such a breach extends beyond the telephony system, potentially exposing the entire corporate network to further intrusion.
The Evolution of Open-Source VoIP Vulnerabilities
Open-source private branch exchange systems serve as the backbone for modern business telephony, making them high-value targets for cybercrime. The discovery of CVE-2025-64328 demonstrates how administrative interfaces remain a primary weak point in the software supply chain.
Such vulnerabilities allow attackers to bypass standard defenses, shifting the focus from simple data theft to deep infrastructure manipulation. This trend toward targeting VoIP modules suggests that threat actors are becoming more specialized in their methods of bypassing enterprise firewalls.
Anatomy of the CVE-2025-64328 Exploitation Campaign
The technical progression of these attacks follows a structured path from initial probe to full persistent access. Sophisticated groups monitor for unpatched modules to launch automated exploitation scripts across the global web.
1. Exploiting the High-Severity Command Injection Flaw
The vulnerability resides within the filestore module of FreePBX, where authenticated users find a path to bypass security controls. By injecting malicious code into specific fields, attackers trigger unauthorized command execution on the underlying server.
Understanding the “Asterisk” User Context
Commands executed through this flaw run under the asterisk user context, which possesses significant privileges over the telephony software. This level of access is sufficient to modify call routing, listen to recordings, or access sensitive configuration files.
The Risks of Unauthorized Remote Shell Access
Gaining a remote shell provides a bridge to the broader internal network, turning a simple phone system into a launchpad for lateral movement. This access allows for the installation of additional payloads that can persist even after software updates.
2. Deployment of the EncystPHP Web Shell by INJ3CTOR3
The INJ3CTOR3 cyber fraud group emerged as the primary threat actor deploying the EncystPHP web shell. This custom malware is designed specifically to maintain a hidden presence while giving the group full control over the compromised host.
Mechanics of Administrative Context Manipulation
By manipulating administrative contexts, the web shell hides its activities from standard system logs and management views. It creates a secondary management layer that only the attackers can access, effectively locking legitimate administrators out of the security conversation.
How Malware Facilitates Unauthorized Outbound Calling
The primary goal often involves toll fraud, where the malware initiates thousands of unauthorized outbound calls to premium-rate numbers. This process generates massive revenue for the attackers while leaving the victimized organization with exorbitant telecommunications bills.
3. Inclusion in the CISA Known Exploited Vulnerabilities Catalog
Government agencies took notice of the escalating threat, leading to a formal response to protect critical national infrastructure. The rapid inclusion of this flaw in official warning lists underscores the immediate danger it poses to public and private sectors.
Implications of the 2026 KEV Catalog Update
The early 2026 update to the Known Exploited Vulnerabilities catalog officially flagged CVE-2025-64328 as a high-priority risk. This designation requires federal agencies and affiliated partners to meet strict deadlines for applying security patches and verifying system integrity.
Why Government Recognition Accelerates Remediation Timelines
Recognition by CISA forces a faster response from software vendors and internal IT departments alike. When a vulnerability is cataloged this way, it moves from a theoretical bug to a mandatory fix, driving higher compliance across the entire industry.
Essential Takeaways from the Sangoma Security Crisis
- Over 900 global instances are currently confirmed as compromised.
- The flaw (CVE-2025-64328) allows for full host takeover via command injection.
- The INJ3CTOR3 group is actively using the EncystPHP web shell for financial fraud.
- Immediate patching to version 17.0.3 is the only definitive fix.
- CISA has mandated remediation for all relevant organizations.
Broader Implications for Telecommunications and Fraud Prevention
This campaign reflects a growing trend where vishing and toll fraud intersect with traditional server exploitation. As groups refine their ability to bypass firewalls through administrative modules, securing legacy VoIP hardware becomes a long-term challenge for modern IT teams.
Moreover, the financial impact of these breaches suggests that telecommunications fraud is becoming a primary revenue stream for organized cybercrime. Organizations must rethink their approach to telephony security by treating voice servers with the same rigor as data servers.
Securing the Future of FreePBX Environments
System administrators implemented a defense-in-depth approach to mitigate these recurring risks in the telephony sector. They established strict network segmentation for control panels and adopted proactive monitoring to detect unusual outbound traffic. These actions finalized the transition toward more resilient communication environments that prioritize administrative security over simple convenience. Teams evaluated their update cycles and ensured that mission-critical modules received immediate attention whenever high-severity flaws surfaced.