CVE-2025-64328

Name of the Vulnerable Software and Affected Versions FreePBX versions 17.0.2.36 through 17.0.3 Description FreePBX Endpoint Manager, a module for managing telephony endpoints, contains a post-authentication command injection flaw within the filestore module of the Administrative interface. This issue, accessible via the testconnection -> check ssh connect() function, allows an authenticated user to execute arbitrary commands on the system, potentially gaining remote access as the asterisk user. Over 900 instances of FreePBX have been compromised globally, with a significant concentration in the U.S., Brazil, and Canada, due to the exploitation of this flaw. The threat actor group INJ3CTOR3 has been actively exploiting this vulnerability since December 2025, deploying a web shell known as EncystPHP. This web shell enables persistent remote command execution, SSH access, and the ability to perform unauthorized telephony operations. The API Endpoint involved is related to the testconnection function, and the vulnerable parameter is used within the check ssh connect() function. Recommendations Update to FreePBX version 17.0.3.