Over 900 Sangoma FreePBX Systems Still Infected in Web Shell Attacks

Ongoing Web Shell Attacks Target Sangoma FreePBX Systems

The Shadowserver Foundation has identified over 900 Sangoma FreePBX instances still infected with web shells, stemming from attacks exploiting a command injection vulnerability that began in December 2025. Of the compromised systems, 401 are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France. The nonprofit organization confirmed these compromises are likely part of a sustained campaign.

Technical Details

The attacks exploit an unpatched command injection flaw in Sangoma FreePBX, a widely used open-source PBX (Private Branch Exchange) platform for VoIP communications. Threat actors deploy web shells—malicious scripts that provide persistent remote access—to maintain control over compromised systems. While the exact CVE identifier has not been disclosed, the vulnerability allows attackers to execute arbitrary commands on affected instances.

Impact Analysis

The widespread compromise of FreePBX systems poses significant risks, including:

• Unauthorized access to VoIP communications and sensitive call data
• Lateral movement within networks hosting the compromised PBX instances
• Potential for further malware deployment, including ransomware or data exfiltration tools
• Disruption of business communications, particularly for organizations relying on VoIP services

The geographic distribution of infections suggests a globally targeted campaign, with a notable concentration in North America and Europe.

Recommendations for Security Teams

Security professionals managing Sangoma FreePBX deployments should:

1. Immediately isolate and investigate any systems exhibiting suspicious activity.
2. Apply the latest security patches from Sangoma to mitigate the command injection vulnerability.
3. Scan for web shells using tools like ClamAV, YARA, or specialized web shell detection scripts.
4. Review access logs for signs of unauthorized command execution or remote access.
5. Enforce strict network segmentation to limit lateral movement if a PBX system is compromised.
6. Monitor for unusual VoIP traffic that may indicate data exfiltration or further exploitation.

Organizations using FreePBX should prioritize remediation, as unpatched systems remain prime targets for cybercriminals. The Shadowserver Foundation continues to track the campaign and urges affected entities to report incidents for further analysis.