SecPod

Learn Search

Search across all Learn content

← Back to Security Research
Ongoing Web Shell Attacks Hit 900+ FreePBX Systems: INJ3CTOR3 Behind EncystPHP Deployment

Ongoing Web Shell Attacks Hit 900+ FreePBX Systems: INJ3CTOR3 Behind EncystPHP Deployment

Cybercriminals continue to exploit misconfigurations and unpatched VoIP infrastructure, with over 900 Sangoma FreePBX systems confirmed compromised following widespread deployment of EncystPHP, a malicious PHP-based web shell. These intrusions have been attributed to threat activity leveraging a pos...

Mar 1, 2026By Padmashree P5 min read

Cybercriminals continue to exploit misconfigurations and unpatched VoIP infrastructure, with over 900 Sangoma FreePBX systems confirmed compromised following widespread deployment of EncystPHP, a malicious PHP-based web shell. These intrusions have been attributed to threat activity leveraging a post-authentication command injection vulnerability in FreePBX systems, enabling attackers to gain remote command execution and persistent control.

This campaign demonstrates how attackers—from financially motivated actors to organized intrusion groups—are abusing exposed PBX environments for privilege escalation, unauthorized call activity, long-term persistence, and malware staging. The compromise of FreePBX platforms highlights the evolving threat landscape where communication infrastructure is increasingly targeted for stealth, persistence, and operational misuse.

Background on Malware and Threat Group

Large-Scale FreePBX Compromise

Security telemetry from The Shadowserver Foundation revealed that more than 900 FreePBX instances remain infected with web shells, with infections observed globally across the U.S., Brazil, Canada, Germany, and France. Attackers are exploiting a high-severity command injection weakness to gain authenticated access and execute system-level commands as the asterisk service user.

Once access is gained, adversaries deploy the EncystPHP web shell to establish a persistent foothold on targeted PBX systems.

INJ3CTOR3 Threat Actor

The threat activity cluster known as INJ3CTOR3 has been observed actively compromising FreePBX systems through authenticated command-injection pathways. Threat intelligence reporting shows that the group began exploiting FreePBX administrative functionality in early December 2025, using the platform’s misconfigurations and post-authentication injection opportunities to gain elevated access to vulnerable PBX environments. INJ3CTOR3’s operations reflect a well-structured intrusion approach focused on leveraging enterprise communication infrastructure for command execution and sustained access. Their activity demonstrates a shift toward abusing VoIP and PBX systems as operational assets—enabling them to maintain persistence, perform administrative-level actions, and repurpose these servers as infrastructure for further malicious operations.

EncystPHP Web Shell

Once inside FreePBX environments, attackers deploy EncystPHP, a malicious PHP-based web shell that provides an interactive remote-execution interface. EncystPHP enables command execution under the asterisk service account, granting adversaries meaningful control over PBX functions, file systems, and system-level processes. Reporting shows that EncystPHP allows attackers to upload or modify files, issue arbitrary shell commands, maintain long-term persistence, and even initiate unauthorized outbound PBX calls—effectively turning the compromised system into a controllable remote node within the attacker’s infrastructure. This web shell functions as the primary mechanism that transforms an exploited FreePBX instance into a persistent, fully interactive foothold for ongoing malicious activity

Vulnerability Details

  • CVE-ID: CVE-2025-64328
  • CVSS Score: 8.6 (High) 
  • EPSS Score: 21.39%
  • Vulnerability: Command injection vulnerability 
  • Affected Product: FreePBX Endpoint Manager 17.0.2.36 prior to 17.0.3

Tactics and Techniques

  • TA0001 – Initial Access – Exploit Public-Facing Application (T1190):ACP exposed to the internet exploited to gain entry.
  • TA0002 – Execution – Command and Scripting Interpreter (T1059):Arbitrary commands executed as the asterisk user.
  • TA0003 – Persistence – Modify System Process / Create or Modify Scripts (T1543):Uploaded .clean.sh may establish persistence.
  • TA0007 – Discovery – File and Directory Discovery (T1083):Attackers enumerate configuration and credential files.
  • TA0006 – Credential Access – Credentials From Database (T1555):Unauthorized ampusers database entries indicate credential manipulation.
  • TA0040 – Impact – Fraudulent Operations / Resource Hijacking (T1499 / T1486):Unauthorized calls (toll fraud) and service disruption.

Infection Chain

Initial Access

  • Attackers authenticate to the FreePBX Administration Panel using compromised or weak credentials.
  • FreePBX instances exposed to the internet increase the likelihood of unauthorized access.

Exploitation

  • Attackers inject crafted parameters into the filestore component, which passes unsanitized input directly to underlying shell commands.
  • Arbitrary command execution is achieved under the asterisk context.

Payload Delivery

  • A malicious PHP web shell, EncystPHP, is downloaded from attacker infrastructure and written to FreePBX directories.
  • EncystPHP provides a lightweight yet powerful interface for remote control.

Execution & Persistence

EncystPHP supports:

  • Remote command execution
  • File manipulation and upload
  • Deployment of additional payloads
  • Initiation of unauthorized outbound call activity

Persistence is maintained through:

  • Hidden or obfuscated PHP files
  • Abuse of FreePBX user-level permissions
  • Repeated reinfection if the underlying vulnerability remains unpatched

Indicators of Compromise (IOCs)

  • File-System IOCs:
    • Missing or modified /etc/freepbx.conf
    • Presence of /var/www/html/.clean.sh
  • Log-Based IOCs:
    • Suspicious POST requests to modular.php
    • Unexpected calls to extension 9998

Impact

1. Unauthorized PBX Control: Attackers gain full operational access to call routing, dialing, and voice infrastructure.

2. Persistence & Lateral Movement: EncystPHP enables attackers to maintain long-term presence and pivot deeper into networks.

3. Malicious Call Activity: Multiple infected systems were observed issuing unauthorized outbound calls.

4. Infrastructure Hijacking: Compromised FreePBX systems can be turned into operational relay points or staging servers.

Mitigation Steps

1. Update FreePBX version to 17.0.3.

2. Limit access to the FreePBX Administrative Control Panel (ACP) to trusted networks only.

3. Search for unauthorized PHP files within FreePBX web directories, Examine logs for suspicious POST requests or unusual admin actions.

4. Remove Unauthorized Shells.

Visual Flow

Authenticated Access -> Command Injection -> EncystPHP Deployment ->Remote Command Execution & Persistence -> Outbound Calls / Lateral Movement / Payload Staging

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.

Featured Posts

Open Granted Without Asking: How CVE-2026-48558 Lets TaskWeaver and Djinn Stealer Walk in the Front Door
Granted Without Asking: How CVE-2026-48558 Lets TaskWeaver and Djinn Stealer Walk in the Front Door

CVE Research

Granted Without Asking: How CVE-2026-48558 Lets TaskWeaver and Djinn Stealer Walk in the Front Door

A maximum-severity authentication bypass in SimpleHelp's OIDC flow, CVE-2026-48558, is being actively exploited to hijack technician sessions, even past MFA. Attackers use this access to deploy TaskWeaver, a stealth Node.js loader disguised as jQuery, then Djinn Stealer, which harvests cloud, developer, AI-assistant, and crypto-wallet credentials. Now in CISA's KEV catalog with a CVSS of 10.0, this is an urgent, assume-compromise scenario for any SimpleHelp OIDC deployment.

Jul 3, 2026

Open CitrixBleed 2 Powers Anubis Ransomware Intrusions
CitrixBleed 2 Powers Anubis Ransomware Intrusions

CVE Research

CitrixBleed 2 Powers Anubis Ransomware Intrusions

Jul 3, 2026

Open RustDuck: The DDoS Botnet Engineered to Outlast Detection
RustDuck: The DDoS Botnet Engineered to Outlast Detection

CVE Research

RustDuck: The DDoS Botnet Engineered to Outlast Detection

RustDuck is an actively developed DDoS botnet targeting routers, cameras, and servers through known CVEs and default credential abuse, deploying a Rust-based payload with Noise protocol-grade C2 encryption and a weighted sandbox evasion system to build resilient, hard-to-detect flood infrastructure.

Jul 2, 2026

Open Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption
Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption

CVE Research

Citrix Critical Update: NetScaler Vulnerabilities Fixed Enabling File Leakage and Service Disruption

Citrix has issued critical fixes for six NetScaler vulnerabilities that could lead to arbitrary file reads, memory disclosure, and denial-of-service attacks. As internet-facing appliances, NetScaler deployments remain attractive targets for threat actors seeking initial access to enterprise networks.

Jul 2, 2026