More than 900 instances of the Sangoma FreePBX telecommunications software remain compromised by malicious web shells, according to a new report from the Shadowserver Foundation. The ongoing infections stem from attacks that began exploiting a critical command injection vulnerability in December 2025. The persistence of these backdoors poses a significant security risk to affected organizations globally.
Scope and Geographic Distribution of the Compromises
The non-profit cybersecurity entity identified 901 systems that are still infected. The United States hosts the largest number of compromised instances, with 401 affected systems. Brazil follows with 51 infected instances, while Canada has 43, Germany has 40, and France has 36. The widespread geographic distribution indicates a broad and untargeted attack campaign.
Shadowserver’s analysis suggests the compromises are likely the result of attackers exploiting a known security flaw. The command injection vulnerability, tracked as CVE-2025-53019, allows unauthorized remote code execution on unpatched FreePBX servers. This flaw provides a direct pathway for threat actors to install persistent web shells.
Nature of the Threat and Attacker Activity
A web shell is a malicious script that provides a backdoor interface for remote administration of a compromised web server. Once installed, it grants attackers ongoing access to the system. They can use this access to steal data, deploy additional malware, or use the server as a launch point for further attacks within a network.
The Shadowserver Foundation reported that the threat actors behind these infections have been actively maintaining their access. The continued presence of the web shells on hundreds of servers, months after the initial exploitation wave, shows the attackers’ intent for long-term persistence. This activity allows them to potentially intercept voice and data communications, or leverage the systems for other malicious purposes.
Background on FreePBX and the Vulnerability
FreePBX is a widely used open-source graphical user interface that manages Asterisk, a popular software-based private branch exchange (PBX) platform. It is deployed by businesses and organizations worldwide to handle voice over IP (VoIP) phone systems, call routing, and other telephony functions. Its popularity makes it a high-value target for cybercriminals.
The vulnerability, CVE-2025-53019, existed within the FreePBX software. It received a critical severity score. Security advisories and patches for this flaw were made available by Sangoma, the commercial sponsor of FreePBX, in late 2025. The patches were intended to close the security hole that enables command injection.
Mitigation and Recommended Actions
The primary mitigation for this threat remains applying the available security updates. Sangoma has repeatedly urged all FreePBX administrators to ensure their systems are updated to the latest patched versions. Running outdated software leaves systems exposed to this and other known vulnerabilities.
Beyond patching, security professionals recommend several steps for administrators. These include conducting thorough scans of web server directories for unfamiliar PHP or other script files, reviewing server access logs for suspicious activity, and changing all administrative credentials. Organizations that discover an infection should consider a full security audit, as the web shell may have been used to plant additional malware.
Network monitoring for unusual outbound connections from PBX servers is also advised. The Shadowserver Foundation provides free daily network reports that can help organizations identify if their internet-connected assets are exhibiting signs of compromise, including participation in botnets or hosting malicious code.
Ongoing Response and Future Outlook
Shadowserver continues to notify affected network owners about the compromises through its daily feed. The organization’s work is part of a broader effort to clean up the global internet ecosystem by informing victims of security incidents. However, the responsibility for remediation ultimately lies with the system administrators and owners.
The situation underscores a persistent challenge in cybersecurity: the gap between a patch’s release and its widespread adoption. As long as vulnerable, unpatched systems remain connected to the internet, they represent an ongoing risk. Security analysts expect the threat actors to continue exploiting this and similar vulnerabilities in widely deployed software, making proactive system maintenance and vigilant monitoring critical for all organizations.
Source: The Shadowserver Foundation
