Hundreds of infected FreePBX instances online
In early February, CISA warned of attacks on FreePBX instances. Currently, hundreds of compromised installations are online.
(Image: janews/Shutterstock.com)
Criminals have been exploiting known security vulnerabilities in the open-source user interface FreePBX for Asterisk telephone systems since the end of 2025. The US IT security authority CISA has warned of these observed attacks. However, this is apparently not enough for many IT managers to bring their systems up to date: hundreds of infected instances are accessible on the internet.
The Shadowserver Foundation warned about this on Mastodon. Last week, they discovered more than 900 IP addresses where compromised FreePBX instances were listening. The IT researchers explain that the compromised devices were likely cracked via the vulnerability CVE-2025-64328 -- this aligns with one of the vulnerabilities from the CISA warning.
FreePBX: Tens of thousands of infected servers in Germany too
The current data from the Shadowserver Foundation shows only a very slight decrease in compromised FreePBX servers. In the breakdown by country, the USA is undisputed and by far in first place. This is followed by Brazil, Canada, and already in fourth place is Germany, with 38 infiltrated FreePBX instances at the time of this article.
Fortinet has presented an analysis according to which a cyber-grouping named “INJ3CTOR3” has been exploiting the vulnerability CVE-2025-64328 in FreePBX (FreePBX Endpoint Manager 17.0.2.36 - 17.0.3) since early December 2025 to deploy a webshell called “EncystPHP” onto cracked systems.
Videos by heise
The attackers read database information from the FreePBX configuration file. They then deleted cron jobs and various FreePBX user accounts, including “ampuser”, “svc_freepbx”, “freepbx_svc”, and others. Furthermore, “EncystPHP” searches for other webshells and attempts to delete them; this also happens with some files that indicate the installation of infostealers. Finally, the webshell gains persistence by setting up a root user “newfpbx”, resets various user passwords to a specific value, and increases their access rights. So that the attackers can connect, the webshell inserts a public SSH key and modifies the system configuration so that port 22 (SSH) remains open. Then EncystPHP downloads further dropper software. In the end, it also modifies the log files and deletes the FreePBX Endpoint Manager module “endpoint”.
The malware further interferes with the system; the Fortinet analysis provides details and also lists Indicators of Compromise (IOCs). This allows administrators to investigate their system for signs of intrusion.
(dmk)
