A command injection vulnerability in Sangoma FreePBX, tracked as CVE-2025-64328, has been actively exploited in the wild, compromising over 900 instances with persistent web shells. The flaw, which affects the filestore module of the FreePBX Endpoint Manager, allows authenticated users to execute arbitrary commands on the system. This vulnerability, identified as CWE-78, carries a CVSS score of 7.2, indicating a high severity level.
The vulnerability was disclosed on November 7, 2025, and has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of February 3, 2026. The exploitation of this flaw has been swift, with attackers leveraging it within 87 days of its disclosure, as indicated by its Time to Exploit (TTE) metric of 87.9 days. The Endpoint Manager module, specifically versions 17.0.2.36 and above but before 17.0.3, is susceptible to this post-authentication command injection.
Attackers have been deploying the EncystPHP web shell to maintain persistence on compromised systems. This web shell allows them to execute further malicious activities, potentially leading to data exfiltration or additional payload deployment. The exploitation has been widespread, with reports confirming that over 900 FreePBX instances have been affected by these attacks.
The availability of both an exploit and a proof-of-concept (PoC) has likely contributed to the rapid spread of this attack. The Exploit Prediction Scoring System (EPSS) for this vulnerability is notably high at 0.846, suggesting a significant likelihood of exploitation.
Organizations using affected versions of FreePBX are urged to upgrade to version 17.0.3 or later to mitigate this risk. The Security Severity Vulnerability Classification (SSVC) for this vulnerability is marked as 'attend,' indicating that immediate action is necessary to address the threat.
Defenders should prioritize patching affected systems and monitor for signs of compromise, such as unexpected web shell activity or unusual command executions. Given the active exploitation and the potential impact on telephony systems, swift remediation is critical to prevent further unauthorized access and potential data breaches.
CSURFACE