CVE-2025-64328
Published Nov 7, 2025
Last updated 5 days ago
AI description
CVE-2025-64328 identifies a command injection vulnerability within the FreePBX Endpoint Manager module. Specifically, the flaw resides in the `check_ssh_connect()` function of the Filestore component. This post-authentication vulnerability allows an authenticated attacker to execute arbitrary shell commands as the `asterisk` user on the affected system. This vulnerability impacts FreePBX Endpoint Manager versions 17.0.2.36 and above, prior to version 17.0.3. Reports indicate that a financially motivated hacker group, INJ3CTOR3, has actively exploited CVE-2025-64328 since early December 2025 to deploy a persistent webshell known as "EncystPHP," enabling them to gain administrative control over compromised VoIP systems.
- Description
- FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- freepbx
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 7.2
- Impact score
- 5.9
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- Sangoma FreePBX OS Command Injection Vulnerability
- Exploit added on
- Feb 3, 2026
- Exploit action due
- Feb 24, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- security-advisories@github.com
- CWE-78
- Hype score
- Not currently trending
Just published: Critical Analysis CVE-2025-64328 - Sangoma FreePBX OS Command Injection.... Practical security guidance from the trenches. Read more: https://t.co/wwAtSpZfaf
@TomarPrateek23
8 Feb 2026
52 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
New security insights: Critical Analysis CVE-2025-64328 - Sangoma FreePBX OS Command Injection.... Fresh perspectives on defensive strategies. Read more: https://t.co/IDir9aIaDi
@TomarPrateek23
6 Feb 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
KEV de CISA (explotadas): SolarWinds Web Help Desk CVE-2025-40551 (RCE) + FreePBX CVE-2019-19006 (auth bypass) y CVE-2025-64328 (cmd inj). Si en MX lo operas, prioriza parche/mitigación hoy. https://t.co/Qx2MUYiM2S #Ciberseguridad #Mexico
@BotBauR
4 Feb 2026
46 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
KEV追加 CVE-2019-19006 Sangoma FreePBX CVE-2021-39935 GitLab Community and Enterprise Editions CVE-2025-40551 SolarWinds Web Help Desk CVE-2025-64328 Sangoma FreePBX
@papa_anniekey
4 Feb 2026
613 Impressions
0 Retweets
4 Likes
1 Bookmark
0 Replies
0 Quotes
‼️ CISA has added 4 vulnerabilities to the KEV Catalog https://t.co/9idGUAHIKd CVE-2025-40551: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2019-19006: Sangoma FreePBX Improper Authentication Vulnerability CVE-2025-64328: Sangoma FreePBX OS
@DarkWebInformer
3 Feb 2026
3051 Impressions
4 Retweets
17 Likes
5 Bookmarks
1 Reply
0 Quotes
🚨 CVE-2025-64328 (CVSS 8.6): FreePBX Administration GUI is Vulnerable to Authenticated Command Injection FreePBX is vulnerable to authenticated command injection in the Endpoint Manager’s filestore module via `testconnection → check_ssh_connect()`, allowing attackers to h
@zoomeye_team
2 Feb 2026
2338 Impressions
12 Retweets
31 Likes
14 Bookmarks
0 Replies
0 Quotes
FreePBXの脆弱性CVE-2025-64328から設置されるウェブシェルEncystPHPについて。フォーティネット社報告。ハッカー集団INJ3CTOR3による攻撃活動と見られる。 https://t.co/j8Vtnf0EIn
@__kokumoto
2 Feb 2026
762 Impressions
0 Retweets
4 Likes
3 Bookmarks
1 Reply
0 Quotes
INJ3CTOR3 hackers target FreePBX with EncystPHP web shell via CVE-2025-64328. Malware uses cron jobs for persistence. Patch immediately. #EncystPHP #FreePBX #CyberSecurity #VoIP #InfoSec #Malware #CVE202564328 #INJ3CTOR3 https://t.co/0TghcJvgSp
@the_yellow_fall
2 Feb 2026
197 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Alert: Critical #FreePBX vulnerability (CVE-2025-64328) exploited by INJ3CTOR3 group to deploy EncystPHP webshell, granting full system control. Patch immediately! #Security #VoIP Link: https://t.co/M8IFmgbN4y #Cybersecurity #Hacking #Exploit #Webshell #System #Patch #Update http
@dailytechonx
30 Jan 2026
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
FortiGuard Labs uncovered EncystPHP, a Base64-encoded PHP web shell exploiting FreePBX CVE-2025-64328, enabling root access, SSH backdoors, and persistence through cron jobs in a campaign linked to INJ3CTOR3. #EncystPHP #VoIPHacking #India https://t.co/VwgwVG40kA
@TweetThreatNews
30 Jan 2026
108 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Just in: Our team has identified #EncystPHP, a persistent FreePBX web shell exploiting CVE-2025-64328 to enable long-term administrative compromise. This activity aligns with INJ3CTOR3 campaigns. Learn why unpatched PBX systems remain prime targets. 🔍 Read the blog: http
@FortiGuardLabs
29 Jan 2026
244 Impressions
2 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
FortiGuard Labs analyses EncystPHP, a weaponized web shell delivering remote command execution, persistence and further web shell deployment. It spreads by exploiting FreePBX vulnerability CVE-2025-64328 and is linked to the INJ3CTOR3 actor. https://t.co/Fx2VaLog7o https://t.co/9
@virusbtn
29 Jan 2026
4471 Impressions
8 Retweets
28 Likes
16 Bookmarks
0 Replies
4 Quotes
📢 𝐔𝐧𝐯𝐞𝐢𝐥𝐢𝐧𝐠 𝐭𝐡𝐞 𝐖𝐞𝐚𝐩𝐨𝐧𝐢𝐳𝐞𝐝 𝐖𝐞𝐛 𝐒𝐡𝐞𝐥𝐥 𝐄𝐧𝐜𝐲𝐬𝐭𝐏𝐇𝐏 • EncystPHP is a web shell with remote command execution, persistence, and web shell deployment capabilities.
@PurpleOps_io
28 Jan 2026
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 Command Injection in FreePBX Endpoint Manager Filestore Module 17.0.2.36 https://t.co/7o5Iuclyx9
@VulmonFeeds
7 Nov 2025
48 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within t… https://t.co/Q5X4T6Shnq
@CVEnew
7 Nov 2025
263 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F4E47EEC-F9C2-4FF8-9B44-91318F48C2C4",
"versionEndExcluding": "17.0.3",
"versionStartIncluding": "17.0.2.36"
}
],
"operator": "OR"
}
]
}
]