CVE-2025-64328

Published Nov 7, 2025

Last updated 9 hours ago

CVSS high 8.6
FreePBX Endpoint Manager

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-64328 identifies a command injection vulnerability within the FreePBX Endpoint Manager module. Specifically, the flaw resides in the `check_ssh_connect()` function of the Filestore component. This post-authentication vulnerability allows an authenticated attacker to execute arbitrary shell commands as the `asterisk` user on the affected system. This vulnerability impacts FreePBX Endpoint Manager versions 17.0.2.36 and above, prior to version 17.0.3. Reports indicate that a financially motivated hacker group, INJ3CTOR3, has actively exploited CVE-2025-64328 since early December 2025 to deploy a persistent webshell known as "EncystPHP," enabling them to gain administrative control over compromised VoIP systems.

Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.6
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-78

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

5

  1. ๐Ÿšจ CVE-2025-64328 (CVSS 8.6): FreePBX Administration GUI is Vulnerable to Authenticated Command Injection FreePBX is vulnerable to authenticated command injection in the Endpoint Managerโ€™s filestore module via `testconnection โ†’ check_ssh_connect()`, allowing attackers to h

    @zoomeye_team

    2 Feb 2026

    2338 Impressions

    12 Retweets

    31 Likes

    14 Bookmarks

    0 Replies

    0 Quotes

  2. FreePBXใฎ่„†ๅผฑๆ€งCVE-2025-64328ใ‹ใ‚‰่จญ็ฝฎใ•ใ‚Œใ‚‹ใ‚ฆใ‚งใƒ–ใ‚ทใ‚งใƒซEncystPHPใซใคใ„ใฆใ€‚ใƒ•ใ‚ฉใƒผใƒ†ใ‚ฃใƒใƒƒใƒˆ็คพๅ ฑๅ‘Šใ€‚ใƒใƒƒใ‚ซใƒผ้›†ๅ›ฃINJ3CTOR3ใซใ‚ˆใ‚‹ๆ”ปๆ’ƒๆดปๅ‹•ใจ่ฆ‹ใ‚‰ใ‚Œใ‚‹ใ€‚ https://t.co/j8Vtnf0EIn

    @__kokumoto

    2 Feb 2026

    762 Impressions

    0 Retweets

    4 Likes

    3 Bookmarks

    1 Reply

    0 Quotes

  3. INJ3CTOR3 hackers target FreePBX with EncystPHP web shell via CVE-2025-64328. Malware uses cron jobs for persistence. Patch immediately. #EncystPHP #FreePBX #CyberSecurity #VoIP #InfoSec #Malware #CVE202564328 #INJ3CTOR3 https://t.co/0TghcJvgSp

    @the_yellow_fall

    2 Feb 2026

    197 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Alert: Critical #FreePBX vulnerability (CVE-2025-64328) exploited by INJ3CTOR3 group to deploy EncystPHP webshell, granting full system control. Patch immediately! #Security #VoIP Link: https://t.co/M8IFmgbN4y #Cybersecurity #Hacking #Exploit #Webshell #System #Patch #Update http

    @dailytechonx

    30 Jan 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. FortiGuard Labs uncovered EncystPHP, a Base64-encoded PHP web shell exploiting FreePBX CVE-2025-64328, enabling root access, SSH backdoors, and persistence through cron jobs in a campaign linked to INJ3CTOR3. #EncystPHP #VoIPHacking #India https://t.co/VwgwVG40kA

    @TweetThreatNews

    30 Jan 2026

    108 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ๐Ÿšจ Just in: Our team has identified #EncystPHP, a persistent FreePBX web shell exploiting CVE-2025-64328 to enable long-term administrative compromise. This activity aligns with INJ3CTOR3 campaigns. Learn why unpatched PBX systems remain prime targets. ๐Ÿ” Read the blog: http

    @FortiGuardLabs

    29 Jan 2026

    244 Impressions

    2 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. FortiGuard Labs analyses EncystPHP, a weaponized web shell delivering remote command execution, persistence and further web shell deployment. It spreads by exploiting FreePBX vulnerability CVE-2025-64328 and is linked to the INJ3CTOR3 actor. https://t.co/Fx2VaLog7o https://t.co/9

    @virusbtn

    29 Jan 2026

    4471 Impressions

    8 Retweets

    28 Likes

    16 Bookmarks

    0 Replies

    4 Quotes

  8. ๐Ÿ“ข ๐”๐ง๐ฏ๐ž๐ข๐ฅ๐ข๐ง๐  ๐ญ๐ก๐ž ๐–๐ž๐š๐ฉ๐จ๐ง๐ข๐ณ๐ž๐ ๐–๐ž๐› ๐’๐ก๐ž๐ฅ๐ฅ ๐„๐ง๐œ๐ฒ๐ฌ๐ญ๐๐‡๐ โ€ข EncystPHP is a web shell with remote command execution, persistence, and web shell deployment capabilities.

    @PurpleOps_io

    28 Jan 2026

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-64328 Command Injection in FreePBX Endpoint Manager Filestore Module 17.0.2.36 https://t.co/7o5Iuclyx9

    @VulmonFeeds

    7 Nov 2025

    48 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-64328 FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within tโ€ฆ https://t.co/Q5X4T6Shnq

    @CVEnew

    7 Nov 2025

    263 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.