Threat actors were able to obtain total administrative control over compromised VoIP systems through a sophisticated attack campaign that used a critical FreePBX vulnerability to deploy a persistent webshell known as "EncystPHP." Launched in early December 2025, the campaign takes advantage of CVE-2025-64328, a post-authentication command-injection vulnerability in the administrative interface of the FreePBX Endpoint Manager. INJ3CTOR3, a financially motivated hacker group that was first discovered in 2020 when they targeted CVE-2019-19006 in FreePBX systems, is blamed for the malicious activity.

Learn more Courses for cybersecurity training Cybersecurity penetration testing services Feeds of threat intelligence Modules for hardware security Software that prevents cyberattacks Cloud computing Malware elimination service Software for cyber endpoint detection and response The threat actor changed their strategy in 2022 by concentrating on Elastix systems and taking advantage of CVE-2021-45461.

The group has consistently demonstrated a pattern of targeting VoIP infrastructure for monetization purposes, primarily through unauthorized call generation and toll fraud. Learn more Apps for secure messaging Control of computer access Firewall for web applications Software for data security Software for vulnerability scanning Services for penetration testing Cloud-based computer security consulting Network of Zero Trust Obtain solutions Solutions for network security Businesses using unpatched Any successful exploitation should be handled by FreePBX systems as a complete compromise that calls for prompt remediation, thorough monitoring, and security hardening. The event demonstrates that VoIP and PBX systems continue to be valuable targets for threat actors looking to profit from unauthorized access through toll fraud and misuse of phone resources.

Compromise Indicators (IoCs) Type Indicator Description URL: hxxp://45[.]234[.]176[. ]202/new/c The URL for the EncystPHP dropper download is hxxp://45[.]234[.]176[. ]202/new/k.php Location of the secondary dropper download The malicious domain crm[.]razatelefonia[.

]pro resolves to C2 server IPv4 45[.]234[.]176[. ]202 Command-and-control server IP address IPv4 187[.]108[. ]SHA256 71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302 EncystPHP webshell component SHA256 7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574 Hash of the dropper component file SHA256 fc514c45fa8e3a49f003eae4e0c8b6a523409b8341503b529c85ffe396bb74f2 Persistence script file hash SHA256 285fac34a5ffdac7cb047d412862e1ca5e091e70c0ac0383b71159fdd0d20bb2 Hash of the configuration component SHA256 29d74963f99563e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7 An additional malicious element Location of the file: /var/www/html/admin/views/ajax.php The main location for webshell deployment File Path /var/www/html/rest_phones/ajax.php An alternate route for webshell deployment /var/www/html/admin/modules/core/ajax.php is the file path. Location of webshell persistence Newfpbx User Account Malicious root-level user account CVE CVE-2025-64328 exploited a vulnerability in FreePBX Detection PHP/EncystPHP.A!tr FortiGuard Antivirus signature Detection BASH/EncystPHP.A!tr FortiGuard Antivirus signature IPS Signature 59448 FreePBX.Administration.GUI.filestore.Command.Injection, LinkedIn, and X for daily cybersecurity updates.

Contact us to feature your stories.