You are currently viewing Ongoing Web Shell Attacks Hit 900+ FreePBX Systems: INJ3CTOR3 Behind EncystPHP Deployment

Ongoing Web Shell Attacks Hit 900+ FreePBX Systems: INJ3CTOR3 Behind EncystPHP Deployment

  • Post author:
  • Reading time:5 mins read

Cybercriminals continue to exploit misconfigurations and unpatched VoIP infrastructure, with over 900 Sangoma FreePBX systems confirmed compromised following widespread deployment of EncystPHP, a malicious PHP-based web shell. These intrusions have been attributed to threat activity leveraging a post-authentication command injection vulnerability in FreePBX systems, enabling attackers to gain remote command execution and persistent control.

This campaign demonstrates how attackers—from financially motivated actors to organized intrusion groups—are abusing exposed PBX environments for privilege escalation, unauthorized call activity, long-term persistence, and malware staging. The compromise of FreePBX platforms highlights the evolving threat landscape where communication infrastructure is increasingly targeted for stealth, persistence, and operational misuse.

Background on Malware and Threat Group

Large-Scale FreePBX Compromise

Security telemetry from The Shadowserver Foundation revealed that more than 900 FreePBX instances remain infected with web shells, with infections observed globally across the U.S., Brazil, Canada, Germany, and France. Attackers are exploiting a high-severity command injection weakness to gain authenticated access and execute system-level commands as the asterisk service user.

Once access is gained, adversaries deploy the EncystPHP web shell to establish a persistent foothold on targeted PBX systems.

INJ3CTOR3 Threat Actor

The threat activity cluster known as INJ3CTOR3 has been observed actively compromising FreePBX systems through authenticated command-injection pathways. Threat intelligence reporting shows that the group began exploiting FreePBX administrative functionality in early December 2025, using the platform’s misconfigurations and post-authentication injection opportunities to gain elevated access to vulnerable PBX environments. INJ3CTOR3’s operations reflect a well-structured intrusion approach focused on leveraging enterprise communication infrastructure for command execution and sustained access. Their activity demonstrates a shift toward abusing VoIP and PBX systems as operational assets—enabling them to maintain persistence, perform administrative-level actions, and repurpose these servers as infrastructure for further malicious operations.

EncystPHP Web Shell

Once inside FreePBX environments, attackers deploy EncystPHP, a malicious PHP-based web shell that provides an interactive remote-execution interface. EncystPHP enables command execution under the asterisk service account, granting adversaries meaningful control over PBX functions, file systems, and system-level processes. Reporting shows that EncystPHP allows attackers to upload or modify files, issue arbitrary shell commands, maintain long-term persistence, and even initiate unauthorized outbound PBX calls—effectively turning the compromised system into a controllable remote node within the attacker’s infrastructure. This web shell functions as the primary mechanism that transforms an exploited FreePBX instance into a persistent, fully interactive foothold for ongoing malicious activity

Vulnerability Details

  • CVE-ID: CVE-2025-64328
  • CVSS Score: 8.6 (High) 
  • EPSS Score: 21.39%
  • Vulnerability: Command injection vulnerability 
  • Affected Product: FreePBX Endpoint Manager 17.0.2.36 prior to 17.0.3

Tactics and Techniques

  • TA0001 – Initial Access – Exploit Public-Facing Application (T1190):ACP exposed to the internet exploited to gain entry.
  • TA0002 – Execution – Command and Scripting Interpreter (T1059):Arbitrary commands executed as the asterisk user.
  • TA0003 – Persistence – Modify System Process / Create or Modify Scripts (T1543):Uploaded .clean.sh may establish persistence.
  • TA0007 – Discovery – File and Directory Discovery (T1083):Attackers enumerate configuration and credential files.
  • TA0006 – Credential Access – Credentials From Database (T1555):Unauthorized ampusers database entries indicate credential manipulation.
  • TA0040 – Impact – Fraudulent Operations / Resource Hijacking (T1499 / T1486):Unauthorized calls (toll fraud) and service disruption.

Infection Chain

Initial Access

  • Attackers authenticate to the FreePBX Administration Panel using compromised or weak credentials.
  • FreePBX instances exposed to the internet increase the likelihood of unauthorized access.

Exploitation

  • Attackers inject crafted parameters into the filestore component, which passes unsanitized input directly to underlying shell commands.
  • Arbitrary command execution is achieved under the asterisk context.

Payload Delivery

  • A malicious PHP web shell, EncystPHP, is downloaded from attacker infrastructure and written to FreePBX directories.
  • EncystPHP provides a lightweight yet powerful interface for remote control.

Execution & Persistence

EncystPHP supports:

  • Remote command execution
  • File manipulation and upload
  • Deployment of additional payloads
  • Initiation of unauthorized outbound call activity

Persistence is maintained through:

  • Hidden or obfuscated PHP files
  • Abuse of FreePBX user-level permissions
  • Repeated reinfection if the underlying vulnerability remains unpatched

Indicators of Compromise (IOCs)

  • File-System IOCs:
    • Missing or modified /etc/freepbx.conf
    • Presence of /var/www/html/.clean.sh
  • Log-Based IOCs:
    • Suspicious POST requests to modular.php
    • Unexpected calls to extension 9998

Impact

1. Unauthorized PBX Control: Attackers gain full operational access to call routing, dialing, and voice infrastructure.

2. Persistence & Lateral Movement: EncystPHP enables attackers to maintain long-term presence and pivot deeper into networks.

3. Malicious Call Activity: Multiple infected systems were observed issuing unauthorized outbound calls.

4. Infrastructure Hijacking: Compromised FreePBX systems can be turned into operational relay points or staging servers.

Mitigation Steps

1. Update FreePBX version to 17.0.3.

2. Limit access to the FreePBX Administrative Control Panel (ACP) to trusted networks only.

3. Search for unauthorized PHP files within FreePBX web directories, Examine logs for suspicious POST requests or unusual admin actions.

4. Remove Unauthorized Shells.

Visual Flow

Authenticated Access -> Command Injection -> EncystPHP Deployment ->
Remote Command Execution & Persistence -> Outbound Calls / Lateral Movement / Payload Staging

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.