CVE-2025-64328
Published Nov 7, 2025
Last updated a month ago
- Description
- FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- firestore
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 7.2
- Impact score
- 5.9
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- Sangoma FreePBX OS Command Injection Vulnerability
- Exploit added on
- Feb 3, 2026
- Exploit action due
- Feb 24, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- security-advisories@github.com
- CWE-78
- Hype score
- Not currently trending
🛡️ Alerta de Seguridad: Vulnerabilidad de Inyección de Comandos OS en Sangoma FreePBX (CVE-2025-64328) Sangoma FreePBX Endpoint Manager contiene una vulnerabilidad de inyección de comandos OS que permite ejecución remota de comandos post-autenticación por usuarios conoci
@CiberPlanetaOrg
16 Mar 2026
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-64328 - critical 🚨 FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection > FreePBX Endpoint Manager 17.0.2.36 to < 17.0.3 contains a command injection caused by... 👾 https://t.co/19ufDkdsM5 @pdnuclei #NucleiTemplate...
@pdnuclei_bot
13 Mar 2026
191 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼️ #Exploited #FreePBX: rilevato lo sfruttamento attivo della vulnerabilità CVE-2025-64328, di tipo #RCE Rischio: 🟠 Tipologia 🔸 Remote Code Execution 🔗 https://t.co/4fNwfFzWFD 🔄 Aggiornamenti disponibili 🔄 https://t.co/D9OdGmufOs
@Vulcanux_
3 Mar 2026
83 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Sangoma FreePBX Security Advisory: CVE-2025-64328 Exploitation [High] Mar 03, 2026 Checkout our Threat Intelligence Platform: https://t.co/QuwNtEhw6z https://t.co/QuwNtEhw6z #ThreatIntelligence #CyberSecurity #Innovation #LLM https://t.co/xeYvclw8NP
@transilienceai
3 Mar 2026
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
BlackCatとBQT.LockはランサムウェアRaaSエコシステムで継続活動中。FreePBXのCVE-2025-64328が悪用されWebシェル展開が進行。直近12時間の新規一次速報脅威は未検出。
@01ra66it
3 Mar 2026
356 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
🚨 900+ FreePBX Servers Still Backdoored After CVE-2025-64328 Exploitation Over 900 Sangoma FreePBX instances remain compromised with web shells after attackers abused the post-auth command-injection flaw CVE-2025-64328 in the Endpoint Manager filestore module to execute comman
@ThreatSynop
2 Mar 2026
106 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-27363 2 - CVE-2026-21509 3 - CVE-2026-25253 4 - CVE-2025-10891 5 - CVE-2025-64328 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
2 Mar 2026
157 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
企業のIP電話基盤として広く使われるSangoma FreePBXに深刻な脆弱性が突かれ、約900台がいまも侵害状態にある。攻撃者は認証後のコマンド注入を悪用し、Webシェルを設置して長期支配を続けている。 問題はCVE-20
@yousukezan
1 Mar 2026
3063 Impressions
11 Retweets
24 Likes
5 Bookmarks
0 Replies
0 Quotes
約900台のFreePBXインスタンスに、CVE-2025-64328の悪用によるものみられるウェブシェルが設置されている。Shadowserver Foundation報告。約400台は米国で、ブラジル、カナダ、ドイツ、フランス、イギリス、イタリア、
@__kokumoto
1 Mar 2026
935 Impressions
1 Retweet
3 Likes
1 Bookmark
0 Replies
0 Quotes
Hundreds of Sangoma FreePBX systems remain infected with web shells due to a command injection vulnerability (CVE-2025-64328). Attackers can execute commands on the host system, potentially gaining remote access. If you use FreePBX versions 17.0.2.36 or earlier, update to version
@cybernewslive
1 Mar 2026
141 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Minecraft source code just leaked on 4chan. 900 FreePBX instances actively exploited via CVE-2025-64328. Samsung forced to stop collecting Texans' TV data without consent. 15 new open-source CVEs with public PoC. Full daily brief: https://t.co/VvP6nJn6hI
@KTLYST_labs
1 Mar 2026
269 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 exploitation impacts 900 #Sangoma #FreePBX instances https://t.co/tctnTtQRuK #securityaffairs #hacking
@securityaffairs
1 Mar 2026
422 Impressions
2 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances Intel Report: https://t.co/4ik6AIa0vX
@cyberbivash
1 Mar 2026
126 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 exploited to compromise 900 Sangoma FreePBX instances, installing web shells; attacks since Dec 2025 leave hundreds still infected. #VoIP #CVE https://t.co/zHE8tDKW6Y
@threatcluster
1 Mar 2026
130 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances https://t.co/qq7VjhGAyW
@Dinosn
1 Mar 2026
2297 Impressions
7 Retweets
18 Likes
7 Bookmarks
2 Replies
0 Quotes
🚨 900+ Sangoma FreePBX Servers Still Compromised After CVE-2025-64328 Exploitation Security Affairs reports 900+ Sangoma FreePBX instances remain infected with web shells after attackers exploited post-auth command injection flaw CVE-2025-64328 (patched in FreePBX 17.0.3) sinc
@ThreatSynop
1 Mar 2026
131 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 Exploitation Campaign: A Global Threat to Sangoma FreePBX Systems https://t.co/vopP1HEOCU
@EthHackingNews
1 Mar 2026
153 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances https://t.co/eVCdKwPJ2S
@hackplayers
1 Mar 2026
679 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
[Security Affairs] CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances. About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw. Hundreds of Sangoma FreePBX instances are still... https://t.co/W442m3RArh
@shah_sheikh
1 Mar 2026
117 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances https://t.co/4uLLtiJsKT #Uncategorized https://t.co/5ajGUfFqyg
@evanderburg
1 Mar 2026
138 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances: About 900 Sangoma FreePBX systems were infected with web shells after attackers exploited a command injection flaw. Hundreds of Sangoma FreePBX instances are still infected with web… https://t.co/QO9Id8ZdsB http
@shah_sheikh
1 Mar 2026
118 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances https://t.co/tctnTtQRuK #securityaffairs #hacking
@securityaffairs
1 Mar 2026
435 Impressions
3 Retweets
7 Likes
1 Bookmark
0 Replies
0 Quotes
Over 900 FreePBX instances compromised via CVE-2025-64328. Update now to secure your systems! Link: https://t.co/oMjWns3wOK #Security #Vulnerability #Update #Systems #Compromised #FreePBX #CVE #Cyberattack #Exploit #Patch #Software #IT #Network #Protection #Hack #Technology https
@dailytechonx
28 Feb 2026
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
900+ Sangoma FreePBX instances remain infected with EncystPHP web shells after exploitation of CVE-2025-64328 started in Dec 2025. Threat actor INJ3CTOR3 linked to attacks enabling arbitrary commands and outbound calls. #INJ3CTOR3 #EncystPHP #FreePBX https://t.co/sGR4RIhsSG
@TweetThreatNews
28 Feb 2026
160 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 900+ FreePBX Servers Still Compromised CVE-2025-64328: Command injection in Sangoma FreePBX deploys EncystPHP web shells. 401 in US alone. Toll fraud, call interception, lateral movement. Patch → 17.0.3 Detection rules + IOCs: https://t.co/JL1zsoO2Pv #VoIPSecurity
@TheInsider_x
28 Feb 2026
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Approximately 900 Sangoma FreePBX phone systems remain infected with web shells after attackers exploited a command injection flaw (CVE-2025-64328). The hacking group INJ3CTOR3 has been actively exploiting this since December 2025, allowing unauthorized remote command execution.
@cybernewslive
27 Feb 2026
71 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 900+ Sangoma FreePBX Servers Still Backdoored After CVE-2025-64328 Web-Shell Exploits Shadowserver reports 900+ Sangoma FreePBX instances remain infected with web shells after attackers exploited CVE-2025-64328 (post-auth command injection) starting in December 2025, with th
@ThreatSynop
27 Feb 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WARNING: ~900 Sangoma FreePBX systems remain compromised via CVE-2025-64328, a command injection bug patched in 17.0.3. The flaw allows authenticated shell access. Fortinet links the activity to INJ3CTOR3 deploying EncystPHP. Patch and restrict ad... https://t.co/o7QbhUSjdj
@IT_news_for_all
27 Feb 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WARNING: ~900 Sangoma FreePBX systems remain compromised via CVE-2025-64328, a command injection bug patched in 17.0.3. The flaw allows authenticated shell access. Fortinet links the activity to INJ3CTOR3 deploying EncystPHP. Patch and restrict ad... https://t.co/cp1KtYj3rU
@IT_news_for_all
27 Feb 2026
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 WARNING: ~900 Sangoma FreePBX systems remain compromised via CVE-2025-64328, a command injection bug patched in 17.0.3. The flaw allows authenticated shell access. Fortinet links the activity to INJ3CTOR3 deploying EncystPHP. Patch and restrict admin access. 🔗 Read →
@TheHackersNews
27 Feb 2026
6109 Impressions
17 Retweets
50 Likes
7 Bookmarks
1 Reply
2 Quotes
About 900 Sangoma FreePBX instances remain infected with EncystPHP web shells after exploitation of CVE-2025-64328. INJ3CTOR3 used the filestore module flaw to maintain persistence since Dec 2025. #INJ3CTOR3 #EncystPHP #FreePBX https://t.co/rYtwpVaDJm
@TweetThreatNews
27 Feb 2026
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hackers exploited CVE-2025-64328, a FreePBX command injection vulnerability, to infect hundreds of instances with web shells. https://t.co/olDuRWfgyZ
@EduardKovacs
27 Feb 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Active exploitation detected 📦 Product: FreePBX 🆔 Vuln: CVE-2025-64328 A post-authentication command injection vulnerability allows an authenticated attacker to gain remote system access. ⚠️ Mitigation: Apply security patches immediately. 📈 Score: 8.6 🔗
@XavSecOps
22 Feb 2026
82 Impressions
0 Retweets
0 Likes
0 Bookmarks
2 Replies
0 Quotes
🚨 FreePBX遭駭客組織INJ3CTOR3鎖定 利用CVE-2025-64328命令注入漏洞植入EncystPHP Web Shell,將VoIP系統作為企業滲透跳板 ref:https://t.co/GPNrF4WbJi @PTTNetSecurity @cheng527 @Military_idv_tw
@lfcba8178
17 Feb 2026
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【武器化されたWebシェル「EncystPHP」の解明】 FreePBXの脆弱性CVE-2025-64328を悪用するステルス型Webシェルを詳解。 正規のFreePBXやElastixコンポーネントに紛れて永続化や通話リソースの悪用を招く本脅威は、パッ
@FortinetJapan
16 Feb 2026
418 Impressions
3 Retweets
6 Likes
3 Bookmarks
0 Replies
0 Quotes
Just published: Critical Analysis CVE-2025-64328 - Sangoma FreePBX OS Command Injection.... Practical security guidance from the trenches. Read more: https://t.co/wwAtSpZfaf
@TomarPrateek23
8 Feb 2026
52 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
New security insights: Critical Analysis CVE-2025-64328 - Sangoma FreePBX OS Command Injection.... Fresh perspectives on defensive strategies. Read more: https://t.co/IDir9aIaDi
@TomarPrateek23
6 Feb 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
KEV de CISA (explotadas): SolarWinds Web Help Desk CVE-2025-40551 (RCE) + FreePBX CVE-2019-19006 (auth bypass) y CVE-2025-64328 (cmd inj). Si en MX lo operas, prioriza parche/mitigación hoy. https://t.co/Qx2MUYiM2S #Ciberseguridad #Mexico
@BotBauR
4 Feb 2026
46 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
KEV追加 CVE-2019-19006 Sangoma FreePBX CVE-2021-39935 GitLab Community and Enterprise Editions CVE-2025-40551 SolarWinds Web Help Desk CVE-2025-64328 Sangoma FreePBX
@papa_anniekey
4 Feb 2026
613 Impressions
0 Retweets
4 Likes
1 Bookmark
0 Replies
0 Quotes
‼️ CISA has added 4 vulnerabilities to the KEV Catalog https://t.co/9idGUAHIKd CVE-2025-40551: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2019-19006: Sangoma FreePBX Improper Authentication Vulnerability CVE-2025-64328: Sangoma FreePBX OS
@DarkWebInformer
3 Feb 2026
3051 Impressions
4 Retweets
17 Likes
5 Bookmarks
1 Reply
0 Quotes
🚨 CVE-2025-64328 (CVSS 8.6): FreePBX Administration GUI is Vulnerable to Authenticated Command Injection FreePBX is vulnerable to authenticated command injection in the Endpoint Manager’s filestore module via `testconnection → check_ssh_connect()`, allowing attackers to h
@zoomeye_team
2 Feb 2026
2338 Impressions
12 Retweets
31 Likes
14 Bookmarks
0 Replies
0 Quotes
FreePBXの脆弱性CVE-2025-64328から設置されるウェブシェルEncystPHPについて。フォーティネット社報告。ハッカー集団INJ3CTOR3による攻撃活動と見られる。 https://t.co/j8Vtnf0EIn
@__kokumoto
2 Feb 2026
762 Impressions
0 Retweets
4 Likes
3 Bookmarks
1 Reply
0 Quotes
INJ3CTOR3 hackers target FreePBX with EncystPHP web shell via CVE-2025-64328. Malware uses cron jobs for persistence. Patch immediately. #EncystPHP #FreePBX #CyberSecurity #VoIP #InfoSec #Malware #CVE202564328 #INJ3CTOR3 https://t.co/0TghcJvgSp
@the_yellow_fall
2 Feb 2026
197 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Alert: Critical #FreePBX vulnerability (CVE-2025-64328) exploited by INJ3CTOR3 group to deploy EncystPHP webshell, granting full system control. Patch immediately! #Security #VoIP Link: https://t.co/M8IFmgbN4y #Cybersecurity #Hacking #Exploit #Webshell #System #Patch #Update http
@dailytechonx
30 Jan 2026
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
FortiGuard Labs uncovered EncystPHP, a Base64-encoded PHP web shell exploiting FreePBX CVE-2025-64328, enabling root access, SSH backdoors, and persistence through cron jobs in a campaign linked to INJ3CTOR3. #EncystPHP #VoIPHacking #India https://t.co/VwgwVG40kA
@TweetThreatNews
30 Jan 2026
108 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Just in: Our team has identified #EncystPHP, a persistent FreePBX web shell exploiting CVE-2025-64328 to enable long-term administrative compromise. This activity aligns with INJ3CTOR3 campaigns. Learn why unpatched PBX systems remain prime targets. 🔍 Read the blog: http
@FortiGuardLabs
29 Jan 2026
244 Impressions
2 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
FortiGuard Labs analyses EncystPHP, a weaponized web shell delivering remote command execution, persistence and further web shell deployment. It spreads by exploiting FreePBX vulnerability CVE-2025-64328 and is linked to the INJ3CTOR3 actor. https://t.co/Fx2VaLog7o https://t.co/9
@virusbtn
29 Jan 2026
4471 Impressions
8 Retweets
28 Likes
16 Bookmarks
0 Replies
4 Quotes
📢 𝐔𝐧𝐯𝐞𝐢𝐥𝐢𝐧𝐠 𝐭𝐡𝐞 𝐖𝐞𝐚𝐩𝐨𝐧𝐢𝐳𝐞𝐝 𝐖𝐞𝐛 𝐒𝐡𝐞𝐥𝐥 𝐄𝐧𝐜𝐲𝐬𝐭𝐏𝐇𝐏 • EncystPHP is a web shell with remote command execution, persistence, and web shell deployment capabilities.
@PurpleOps_io
28 Jan 2026
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 Command Injection in FreePBX Endpoint Manager Filestore Module 17.0.2.36 https://t.co/7o5Iuclyx9
@VulmonFeeds
7 Nov 2025
48 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64328 FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within t… https://t.co/Q5X4T6Shnq
@CVEnew
7 Nov 2025
263 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sangoma:firestore:*:*:*:*:*:freepbx:*:*",
"matchCriteriaId": "41B1933F-7231-43F4-8C33-FBF1E2519CD5",
"versionEndExcluding": "17.0.3",
"versionStartIncluding": "17.0.2.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]