CVE-2025-64328 Exploitation Impacts Sangoma FreePBX Systems: What You Need to Know
Threat Intelligence

CVE-2025-64328 Exploitation Impacts Sangoma FreePBX Systems: What You Need to Know

CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances

Learn about the CVE-2025-64328 command injection vulnerability impacting Sangoma FreePBX systems, the ongoing web shell attacks, and critical mitigation steps to protect your VoIP infrastructure. Stay informed and secure your systems today!

In December 2025, a significant cybersecurity incident began to unfold, targeting Sangoma FreePBX systems. The exploitation of CVE-2025-64328, a command injection vulnerability, led to the infection of approximately 900 systems with web shells. This article delves into the details of this vulnerability, its impact, the timeline of events, and crucial steps that FreePBX users can take to mitigate the risks and secure their VoIP infrastructure.

Introduction to CVE-2025-64328 and Sangoma FreePBX

Sangoma FreePBX is a widely-used, open-source graphical user interface designed to manage Asterisk-based IP-PBX telephony systems. Its popularity stems from its ease of use and comprehensive features, making it a favorite among businesses for managing their VoIP communications. However, like any software, FreePBX is susce

Introduction to CVE-2025-64328 and Sangoma FreePBX - CVE-2025-64328 Exploitation Impacts Sangoma FreePBX Systems: What You Need to Know
ptible to vulnerabilities. One such vulnerability, identified as CVE-2025-64328, has recently been exploited, leading to widespread infections.

CVE-2025-64328 is a high-severity command injection vulnerability affecting FreePBX versions 17.0.2.36 and earlier. This flaw allows attackers with access to the admin panel to execute arbitrary shell commands on the underlying host. The Common Vulnerability Scoring System (CVSS) has assigned a score of 8.6 to this vulnerability, highlighting its critical nature [FreePBX Advisory].

Details of the Command Injection Flaw

The command injection flaw, CVE-2025-64328, resides within the FreePBX administration panel. Successful exploitation of this vulnerability allows a user with administrative privileges to inject and execute arbitrary shell commands. This is particularly dangerous because the commands are executed with the privileges of the 'asterisk' user, potentially granting attackers significant control over the system [The Hacker News].

According to the FreePBX Security Team, "The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host." This highlights the importance of restricting access to the FreePBX administration panel to only trusted personnel [The Hacker News].

Impact of the Exploitation on Sangoma FreePBX Systems

The primary impact of exploiting CVE-2025-64328 is the ability for attackers to deploy web shells on compromised FreePBX systems. Web shells are malicious scripts that allow attackers to gain persistent remote access to a server. Once a web shell is deployed, attackers can use it to execute commands, upload and download files, and perform other malicious activities [The Hacker News].

The Shadowserver Foundation notes, "By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host" [The Hacker News]. This elevated access allows attackers to further compromise the system and potentially gain access to sensitive data.

Timeline of the Attacks (Starting December 2025)

The attacks exploiting CVE-2025-64328 began in December 2025. Initially, over 900 Sangoma FreePBX instances were infected with web shells [The Hacker News]. The attackers targeted systems running vulnerable versions of FreePBX, specifically version 17.0.2.36 and earlier. The attacks involved exploiting the command injection flaw to upload and execute malicious scripts, leading to the deployment of web shells.

In February 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-64328 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the active exploitation of this vulnerability and urging immediate patching [CISA KEV].

Current Status: Hundreds of Systems Still Infected

Despite the availability of a patch and widespread awareness of the vulnerability, hundreds of Sangoma FreePBX instances remain infected with web shells. According to Shadowserver scans, the United States is the most affected country, with 401 infected instances [The Hacker News]. This highlights the importance of proactive security measures and the need for system administrators to promptly apply security updates.

Sangoma's Response and Mitigation Strategies

Sangoma, the company behind FreePBX, has released version 17.0.3, which includes a patch for CVE-2025-64328. In addition to releasing the patch, Sangoma has provided guidance on mitigating the risks associated with this vulnerability. Their recommendations include:

  • Restricting access to the FreePBX administration panel [community.freepbx.org].
  • Updating all modules to the latest versions [community.freepbx.org].
  • Scanning for web shells and other malicious files [community.freepbx.org].

Sangoma has also emphasized the importance of following security best practices, such as using strong passwords and regularly reviewing user permissions [community.freepbx.org].

Recommendations for FreePBX Users

To protect your FreePBX systems from exploitation, consider the following recommendations:

  1. Apply the Patch: Upgrade to FreePBX version 17.0.3 or later to address CVE-2025-64328 [FreePBX Advisory].
  2. Restrict Admin Access: Limit access to the FreePBX administration panel to only authorized personnel [community.freepbx.org].
  3. Update Modules: Ensure all FreePBX modules are updated to the latest versions [community.freepbx.org].
  4. Scan for Web Shells: Regularly scan your systems for web shells and other malicious files [community.freepbx.org].
  5. Implement Strong Passwords: Enforce the use of strong, unique passwords for all user accounts [community.freepbx.org].
  6. Review User Permissions: Regularly review user permissions to ensure that users only have the access they need [community.freepbx.org].
  7. Monitor System Logs: Monitor system logs for suspicious activity [community.freepbx.org].
  8. Consider a Web Application Firewall (WAF): Implement a WAF to protect against web-based attacks [WAF].

Technical Analysis of the Web Shells Used

The web shells deployed in these attacks are designed to provide attackers with a remote command execution interface. These scripts are often written in PHP or other scripting languages and are typically disguised as legitimate files. Once uploaded, the web shell allows the attacker to execute arbitrary commands on the server, effectively gaining control of the system [The Hacker News].

Analyzing the web shells used in these attacks can provide valuable insights into the attacker's techniques and objectives. This information can be used to improve detection and prevention measures.

Broader Implications for VoIP Security

The exploitation of CVE-2025-64328 highlights the broader implications for VoIP security. VoIP systems are increasingly becoming targets for cyberattacks, and vulnerabilities like command injection flaws can have significant consequences. It is crucial for organizations to prioritize VoIP security and implement robust security measures to protect their systems from attack.

In addition to CVE-2025-64328, other vulnerabilities have been identified in FreePBX, including CVE-2025-57819, which allows unauthenticated access leading to Remote Code Execution (RCE) in endpoint modules, with a severity score of CVSS 9.8 [runZero / NVD]. Furthermore, Horizon3.ai reported multiple new FreePBX vulnerabilities, including CVE-2025-66039, involving authentication bypass and SQL injections leading to RCE [horizon3.ai]. These vulnerabilities underscore the need for continuous monitoring and proactive security measures.

Key Takeaways

  • CVE-2025-64328 is a command injection vulnerability in FreePBX that allows attackers to execute arbitrary shell commands [FreePBX Advisory].
  • Attacks exploiting this vulnerability began in December 2025, resulting in the infection of over 900 systems with web shells [The Hacker News].
  • Hundreds of FreePBX instances remain infected, highlighting the need for immediate action [The Hacker News].
  • Sangoma has released a patch and provided mitigation guidance [community.freepbx.org].
  • FreePBX users should apply the patch, restrict admin access, update modules, and scan for web shells to protect their systems [community.freepbx.org].

By taking these steps, organizations can significantly reduce their risk of falling victim to these types of attacks and ensure the security of their VoIP infrastructure.

Related: Sangoma | FreePBX | Shadowserver Foundation

Sources

  1. Automated Pipeline
  2. Sangoma Patches Critical FreePBX Zero-Day Vulnerability Exploited by Hackers: In-Depth Cybersecurity Analysis
  3. 900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks
  4. Sangoma FreePBX vulnerability: how to find affected assets
  5. 900 Sangoma FreePBX Instances Infected With Web Shells
  6. Sangoma FreePBX security advisory (AV25–550)
  7. Source: community.freepbx.org
  8. Source: horizon3.ai
  9. Source: cvedetails.com
  10. Source: nvd.nist.gov

Tags

CVE-2025-64328SangomaFreePBXWeb ShellCommand InjectionVoIP Security

Originally published on CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances

Related Articles