A critical vulnerability in Sangoma FreePBX, tracked as CVE-2025-64328, has been actively exploited in the wild, compromising over 900 instances with web shells. This flaw, found in the FreePBX Endpoint Manager's filestore module, allows for post-authentication command injection by authenticated users. The vulnerability affects versions 17.0.2.36 and above, prior to 17.0.3, and has been classified as high severity with a CVSS score of 7.2.
The exploitation of this vulnerability has been swift, with attackers leveraging it within 87 days of its disclosure on November 7, 2025. The vulnerability is also listed in the Known Exploited Vulnerabilities (KEV) catalog as of February 3, 2026, underscoring its significance and the urgency for remediation.
The attack vector involves authenticated users executing arbitrary commands via the administrative interface, exploiting the command injection flaw (CWE-78) in the filestore module. This has led to the deployment of web shells across numerous FreePBX systems, providing attackers with persistent access and control over the compromised environments.
The exploitation of CVE-2025-64328 is facilitated by the availability of both a proof-of-concept (PoC) and an exploit, which have been circulating among threat actors. The Exploit Prediction Scoring System (EPSS) for this vulnerability is notably high at 0.809, indicating a significant likelihood of exploitation.
Organizations using affected versions of FreePBX are urged to upgrade to version 17.0.3 or later to mitigate this risk. The Security Severity Vulnerability Classification (SSVC) recommends immediate attention to this issue, given its active exploitation and potential impact on telephony systems.
Defenders should prioritize patching and review their systems for signs of compromise, such as unexpected web shell activity or unauthorized access attempts. Monitoring for unusual behavior in the administrative interface and implementing robust authentication measures can help mitigate the risk of exploitation.
CSURFACE