CVE-2025-64328
published 2025-11-07CVE-2025-64328: FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module…
PriorityP188high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-24
Exploited in the wild
EPSS
84.42%
99.7th percentile
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freepbx | filestore | — | — |
| sangoma | firestore | >= 17.0.2.36 < 17.0.3 | 17.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user={{prefix}}&port=22&key={{prefix}}`{{cmd}}`&path={{prefix}}↗
commandexec("ssh-keygen -t ecdsa -b 521 -f $key -N \"\" && chown asterisk:asterisk $key && chmod 600 $key");↗
- →Exploit request targets /admin/ajax.php with module=filestore&command=testconnection&driver=SSH and injects shell command substitution (backtick or $()) into the 'key' parameter ↗
- →Look for unexpected ajax.php files in non-standard FreePBX paths such as /var/www/html/digium_phones/, /var/www/html/phones/, /var/www/html/fpbxphones/, /var/www/html/freepbxphones/, /var/www/html/freepbx/, and /var/www/html/admin/assets/ — these are web shell deployment locations used by EncystPHP ↗
- →Detect creation of a root-level user named 'newfpbx' with UID 0 via useradd — a strong indicator of EncystPHP post-exploitation persistence ↗
- →Monitor for crontab entries downloading content from 45.234.176.202 and saving to /var/lib/asterisk/bin/ (filenames: zen2, devnull2, devnull) — indicative of EncystPHP persistence stages ↗
- →Detect presence of license.php under /var/www/html/admin/modules/freepbx_ha/ — this is a malicious persistence file deployed by EncystPHP's test.sh stage ↗
- →Detect PHP files containing the string 'Ask Master' in the web root — this is the title of the EncystPHP interactive web shell interface ↗
- →Monitor for timestamp-forging activity on FreePBX web files: 'touch <webshell_path> -r <legitimate_file>' pattern used by EncystPHP to evade detection ↗
- →The Metasploit module path for this exploit is unix/http/freepbx_filestore_cmd_injection — use this to identify exploitation attempts in proxy/WAF logs ↗
- →FreePBX instances can be fingerprinted via Shodan/FOFA using favicon hashes -1908328911 and 1574423538, or page titles 'FreePBX Administration' — use these to identify exposed attack surface ↗
- ·CVE-2025-64328 is post-authentication — exploitation requires valid FreePBX credentials for a user with access to the filestore module (administrator or low-privilege user in the 'Filestore' group) ↗
- ·The injected command may execute multiple times due to the vulnerable code structure, potentially resulting in multiple reverse shell sessions ↗
- ·Affected versions are 17.0.2.36 through 17.0.2.44 (inclusive); the vulnerability was introduced in 17.0.2.36 and patched in 17.0.3 ↗
- ·Commands execute as the 'asterisk' user (web server process privileges), not root — however, EncystPHP subsequently escalates to root via useradd with UID 0 ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Sangoma FreePBX OS Command Injection Vulnerability
cisa·2026-02-03·CVSS 8.6
CVE-2025-64328 [HIGH] CWE-78 Sangoma FreePBX OS Command Injection Vulnerability
Vulnerability: Sangoma FreePBX OS Command Injection Vulnerability
Affected: Sangoma FreePBX
Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw ; https://nvd.nist.gov/vuln/detail/CVE-2025-64328
Remediation Due Date: 2026-02-24
VulnCheck
Sangoma FreePBX OS Command Injection Vulnerability
vulncheck·2025·CVSS 8.6
CVE-2025-64328 [HIGH] CWE-78 Sangoma FreePBX OS Command Injection Vulnerability
Sangoma FreePBX OS Command Injection Vulnerability
Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.
Affected: Sangoma FreePBX
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabiliti
Suricata
ET WEB_SPECIFIC_APPS FreePBX SSH testconnection Multiple Parameters Command Injection Attempt (CVE-2025-64328)
suricata·2026-02-03·CVSS 8.6
CVE-2025-64328 [HIGH] ET WEB_SPECIFIC_APPS FreePBX SSH testconnection Multiple Parameters Command Injection Attempt (CVE-2025-64328)
ET WEB_SPECIFIC_APPS FreePBX SSH testconnection Multiple Parameters Command Injection Attempt (CVE-2025-64328)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FreePBX SSH testconnection Multiple Parameters Command Injection Attempt (CVE-2025-64328)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/ajax.php|3f|"; startswith; content:"module|3d|filestore"; fast_pattern; content:"command|3d|testconnection"; content:"driver|3d|SSH"; pcre:"/(?:host|user|port|key|path)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/; reference:cve,2025-64328; classtype:attempted-admin; sid:2067278; rev:1; metadata:affected_product
Nuclei
FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection
nuclei·CVSS 8.6
CVE-2025-64328 [HIGH] FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection
FreePBX >= 17.0.2.36 && = 17.0.2.36 && < 17.0.3 - Authenticated Command Injection
author: _th3y
severity: critical
description: |
FreePBX Endpoint Manager 17.0.2.36 to < 17.0.3 contains a command injection caused by improper sanitization in filestore module's testconnection check_ssh_connect() function, letting authenticated users execute commands as asterisk user.
impact: |
Authenticated attackers can execute arbitrary commands as the asterisk user, gaining remote access to the system.
remediation: |
Upgrade to version 17.0.3 or later.
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
cvss-score: 8.6
cve-id: CVE-2025-64328
epss-score: 0.78074
epss-percentile: 0.99016
cpe: cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
reference:
- https://github.com/
Metasploit
FreePBX filestore authenticated command injection
metasploit·CVSS 8.6
CVE-2025-64328 [HIGH] FreePBX filestore authenticated command injection
FreePBX filestore authenticated command injection
This module exploits an authenticated command injection vulnerability (CVE-2025-64328) in the FreePBX filestore module. The filestore module allows administrators to configure remote file storage backends (SSH, FTP, etc.) for backup and file management purposes. The vulnerability exists in the SSH driver's testconnection functionality, specifically in the check_ssh_connect() function located at /admin/modules/filestore/drivers/SSH/testconnection.php. The function accepts user-controlled input for the SSH key path parameter, which is then passed unsanitized to exec() calls when generating SSH keys. The vulnerable code executes commands such as: exec("ssh-keygen -t ecdsa -b 521 -f $key -N \"\" && chown asterisk:asterisk $key && chmod 600 $ke
Rapid7
Metasploit Wrap-Up 03/20/2026
blogs_rapid7·2026-03-20·CVSS 8.6
[HIGH] Metasploit Wrap-Up 03/20/2026
## ♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫
This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query.
## New module content (2)
## AVideo Encoder getImage.php Unauthenticated Command Injection
Authors: Valentin Lobstein [email protected] and arkmarta
Type: Exploit
Pull request: #21076 contributed by Chocapikk
P
Fortinet
Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
blogs_fortinet·2026-01-28·CVSS 9.8
[CRITICAL] Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Unveiling the Weaponized Web Shell EncystPHP
A persistent FreePBX web shell enabling long-term administrative compromise
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
URLs
Hosts
Files
MITRE ATT&CK Mapping for EncystPHP Campaign
By Vincent Li | January 28, 2026
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December
Fortinet
Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
blogs_fortinet·2026-01-28·CVSS 9.8
[CRITICAL] Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs
FortiGuard Labs Threat Research
# Unveiling the Weaponized Web Shell EncystPHP
A persistent FreePBX web shell enabling long-term administrative compromise
FortiGuard Security Portfolio
2025 Threat Landscape Report
By
Vincent Li
| January 28, 2026
- Article Contents
By
Vincent Li
| January 28, 2026
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX v
Fortinet
FortiGuard Labs Threat Research
blogs_fortinet·CVSS 7.8
[HIGH] FortiGuard Labs Threat Research
FortiGuard Labs Threat Research
Stay connected:
THREAT RESEARCH
DPRK-Related Campaigns with LNK and GitHub C2
Analysis of DPRK-linked LNK-based attacks using GitHub as covert C2 infrastructure, detailing multi-stage PowerShell execution, persistence mechanisms, and data exfiltration techniques targeting Windows environments.
By Cara Lin April 02, 2026
THREAT RESEARCH
Cyber Fallout After the Strikes: Signal, Noise, and What Comes Next
Following U.S.-Israeli strikes on Iran, FortiGuard Labs has not yet observed large-scale cyber retaliation. However, we observed that regional cyber activity is rising. Organizations should take action to strengthen cyber hygiene, rotate credentials, and reduce exposure.
By Aamir Lakhani, Carl Windsor, and Derek Manky March 04, 2026
THREAT RESEARCH
U
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/FreePBX/filestore/blob/f0e3983059271efd80b483ec823310ef19a59013/drivers/SSH/testconnection.php#L2https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvwhttps://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
2025-11-07
Published
2026-02-03
Added to CISA KEV
Exploited in the wild