Over 900 FreePBX Phone Systems Still Compromised — Is Your Business One of Them?

If your office phone system runs on FreePBX, you need to stop what you're doing and read this.

The Shadowserver Foundation dropped some alarming numbers this week, revealing that more than 900 Sangoma FreePBX instances worldwide remain actively infected with web shells. These aren't theoretical vulnerabilities waiting to be exploited — they're live compromises happening right now, and the attackers already have their hooks in.

The United States leads the unfortunate pack with 401 compromised systems, followed by Brazil at 51, Canada with 43, Germany at 40, and France rounding out the top five with 36 infected instances. If you're running FreePBX and haven't checked your systems recently, those numbers should give you pause.

At the heart of this campaign is CVE-2025-64328, a high-severity command injection vulnerability carrying a CVSS score of 8.6. The flaw affects FreePBX versions 17.0.2.36 and higher, and here's the particularly nasty part: any user with access to the FreePBX Administration panel can exploit this vulnerability to execute arbitrary shell commands on the underlying host. Once an attacker gets in, they're running commands as the asterisk user, which gives them significant control over the entire phone system and the server it runs on.

The attacks started in early December 2025, and the threat actor behind them has been identified as part of a cyber fraud operation that Fortinet tracks as INJ3CTOR3. Their weapon of choice is a web shell called EncystPHP, which operates with elevated privileges by leveraging the administrative contexts within FreePBX and Elastix environments. What makes this particularly concerning for businesses is that the attackers aren't just stealing data — they're using compromised PBX systems to initiate outbound call activity, meaning your phone system could be making calls you don't know about.

Think about that for a moment. Your business phone system, the one handling client calls and sensitive conversations, could be under someone else's control. They could listen in, make calls, route traffic through your infrastructure, or simply sit quietly and wait until they need access for something more destructive.

FreePBX patched this vulnerability in version 17.0.3 back in November 2025, but the continued presence of 900+ infected systems suggests that many organizations either don't know they're vulnerable or haven't prioritized updating their phone infrastructure. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog earlier this month, which should serve as a clear signal that this isn't something to put off until next quarter's maintenance window.

For organizations still running vulnerable versions, FreePBX recommends implementing security controls to ensure only authorized users can access the Administrator Control Panel, restricting ACP access from untrusted networks, and updating the filestore module to the latest version. But honestly, if you're still running a vulnerable version at this point, you should assume you've been compromised and conduct a thorough investigation before simply patching and moving on.

The reality is that phone systems rarely get the security attention they deserve. Everyone patches their Windows servers and runs endpoint protection on workstations, but the PBX sitting in the corner often runs for years without updates. Attackers know this, which is why VoIP infrastructure has become an increasingly attractive target.

If your organization uses FreePBX, check your version today. If you're on 17.0.2.36 or later but haven't updated to 17.0.3, do it immediately. And if you're working with an MSP to manage your infrastructure, ask them directly what your FreePBX patch status is — because right now, 900+ businesses worldwide are learning the hard way what happens when phone systems fall through the security cracks.