ATLA WIRE

900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks

02.03.2026
1074
900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks
Over 900 FreePBX systems remain infected after CVE-2025-64328 exploitation, now listed in CISA KEV amid active attacks.

🚨 900+ FreePBX Systems Still Infected After CVE-2025-64328 Exploit

Yikes — over 900 Sangoma FreePBX instances are still compromised by web shells after attackers exploited CVE-2025-64328. This critical command injection flaw is now on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active attacks are happening RIGHT NOW.
For the uninitiated: FreePBX is that popular open-source PBX platform tons of businesses use for phone systems. Attackers are weaponizing this vulnerability to drop web shells — basically backdoors that give them remote control over the compromised systems.
The vulnerability (CVE-2025-64328) is a command injection flaw in FreePBX's web interface. Attackers can execute arbitrary commands on the system by sending specially crafted HTTP requests. Once they're in, they're planting web shells to maintain persistence and potentially pivot to other systems.
CISA adding this to their KEV catalog is a major red flag — it means they have evidence of active exploitation in the wild. If you're running FreePBX, you need to patch IMMEDIATELY and check for signs of compromise.
  • Over 900 FreePBX instances confirmed compromised
  • CVE-2025-64328 command injection vulnerability being exploited
  • Now listed in CISA's Known Exploited Vulnerabilities catalog
  • Attackers deploying web shells for persistent access
  • Active attacks ongoing as of February 2026
The article doesn't specify who's behind these attacks or their exact motives, but web shell compromises typically lead to data theft, ransomware deployment, or using the systems as part of botnets. Given FreePBX often handles sensitive communications, this is particularly concerning.
If you manage FreePBX systems: 1) Apply the latest patches immediately, 2) Check for unusual files or processes, 3) Monitor network traffic for suspicious activity, and 4) Consider implementing additional security controls around your PBX infrastructure.
#CISA KEV catalog#FreePBX#backdoors#web shells#CVE vulnerabilities
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
Banner | ATLA WIRE