900+ Sangoma FreePBX Servers Compromised via Web Shell Exploitation

Overview of the Sangoma FreePBX Compromise

A significant number of Sangoma FreePBX instances remain compromised following a widespread exploitation campaign that leveraged a command injection vulnerability. According to recent data from The Hacker News, the Shadowserver Foundation has identified over 900 instances still hosting active web shells. These infections are the result of an attack wave that began in December 2025, specifically targeting the web-based management interfaces of these Private Branch Exchange (PBX) systems.

FreePBX is a widely used open-source graphical user interface (GUI) that manages Asterisk, the industry-standard voice-over-IP (VoIP) server. Because these systems often sit at the intersection of the public internet and internal corporate networks, they represent high-value targets for threat actors seeking initial access or specialized capabilities like toll fraud.

Technical Analysis: Command Injection and Persistence

The root cause of the compromise is a command injection vulnerability within the FreePBX management interface. Command injection occurs when an application passes unsafe user-supplied data—such as HTTP headers, form inputs, or cookies—to a system shell. In the context of a PBX, an attacker can execute arbitrary code with the permissions of the web server (typically asterisk or www-data).

The primary objective of the attackers in this campaign appears to be the deployment of web shells. A web shell is a script, often written in PHP for FreePBX environments, that allows remote administration of the server via a web browser. By successfully uploading a web shell, attackers bypass standard authentication mechanisms and maintain persistent access even if the underlying vulnerability is later patched. This persistence allows for long-term monitoring of communications, exfiltration of SIP (Session Initiation Protocol) credentials, and the potential to pivot further into the victim’s internal network.

PBX systems are particularly sensitive because they handle voice traffic. Compromised instances can be utilized for ‘vishing’ (voice phishing) campaigns, unauthorized long-distance calling (toll fraud), or as proxies to obfuscate the origin of further cyberattacks.

Geographic Distribution and Impact

The Shadowserver Foundation’s telemetry indicates a broad geographic spread of the infections, though the United States is disproportionately affected. Out of the 900+ confirmed compromised instances, 401 are located within the U.S. Other significantly impacted regions include:

• Brazil: 51 instances
• Canada: 43 instances
• Germany: 40 instances
• France: 36 instances

This distribution suggests a non-discriminatory scanning and exploitation approach, where attackers target any reachable FreePBX instance regardless of the organization’s size or sector.

Detection and Remediation Strategies

For administrators managing Sangoma FreePBX environments, immediate verification of system integrity is required. The presence of a web shell means that simply applying software updates may not be sufficient to evict the threat actor.

Identification and Removal

• Audit Web Directories: Search for unauthorized or suspicious .php files within the web root (typically /var/www/html/). Pay close attention to files with randomized names or those that have been recently modified.
• Log Analysis: Review web server access logs for unusual POST requests to scripts that do not normally receive such traffic. Check for evidence of shell commands being passed as URL parameters.
• Process Monitoring: Use tools like top or ps to identify unusual processes running under the web server user, particularly those spawning interactive shells (sh, bash).

Hardening and Mitigation

• Update Software: Ensure that FreePBX and all associated modules are updated to the latest versions provided by Sangoma.
• Restrict Access: The management GUI should never be exposed to the public internet. Use a VPN or strictly enforced IP whitelisting to limit access to known administrative workstations.
• Filesystem Permissions: Implement strict filesystem permissions to prevent the web server user from writing to directories where script execution is permitted, although this can be challenging given the architecture of many PBX GUIs.