Over 900 Sangoma FreePBX Phone Systems Compromised in Ongoing Web Shell Campaign

Hundreds of organizations are currently running compromised Sangoma FreePBX phone systems, exposing their networks to ongoing remote control and potential data theft. Recent internet-wide scans have identified more than 900 FreePBX instances infected with web shells, the result of a command injection vulnerability first exploited in late 2025. For businesses relying on VoIP infrastructure, this incident highlights the urgent need for stronger patching, hardening, and continuous security monitoring.

Key Takeaways

• Over 900 publicly exposed Sangoma FreePBX instances remain infected with web shells following exploitation of a command injection flaw.
• The highest concentration of compromised systems is in the United States (401), followed by Brazil, Canada, Germany, and France.
• Attackers are using web shells to maintain persistent remote access, potentially enabling call fraud, data theft, and lateral movement across networks.
• Businesses must patch FreePBX immediately, remove any web shells, and review configurations to reduce exposure and prevent future compromise.

---

What Happened: Overview of the FreePBX Web Shell Attacks

A recent security analysis has revealed that more than 900 Sangoma FreePBX instances on the public internet are currently compromised with malicious web shells. These infections are linked to the exploitation of a command injection vulnerability that began to be widely abused in December 2025.

The vulnerability allowed attackers to execute arbitrary commands on vulnerable FreePBX servers, effectively taking over the underlying system. Once inside, threat actors deployed web shells to maintain persistent access, even if credentials were changed or basic cleanup was attempted.

Persistent web shells on VoIP servers transform a single misconfiguration or missed patch into an ongoing breach with long-term operational and financial risks.

Geographic Distribution of Compromised FreePBX Instances

The breakdown of impacted systems shows a broad global footprint, with particular concentration in North and South America and Europe. Based on observed internet telemetry, the known infected FreePBX instances are distributed as follows:

• United States: 401 instances
• Brazil: 51 instances
• Canada: 43 instances
• Germany: 40 instances
• France: 36 instances

These numbers indicate substantial exposure across small and mid-sized businesses, managed service providers, and potentially larger organizations that rely on FreePBX for their telephony infrastructure.

---

Understanding the Risk: Why Web Shells on VoIP Systems Are Dangerous

Many organizations treat VoIP and PBX servers primarily as communications tools and underestimate their value as targets. In reality, compromised FreePBX instances offer attackers multiple opportunities to monetize or deepen their access.

What Is a Web Shell?

A web shell is a piece of malicious code (often a PHP script in the case of web applications) that provides a remote command interface to an attacker through a web browser. Once deployed on a server, it allows threat actors to:

• Execute system commands
• Upload or download files
• Install additional malware or backdoors
• Move laterally into other systems on the same network

Because web shells often blend in with legitimate application files and can be obfuscated, they are easy to miss without targeted security scanning.

Business Impact of a Compromised FreePBX Server

For businesses running FreePBX, a web shell infection is not just a technical concern; it has direct operational and financial implications:

• Telephony fraud: Attackers can route calls through your PBX to premium-rate numbers, generating significant unauthorized charges.
• Data exposure: Call logs, voicemail, contact databases, and integration data (e.g., CRM systems) may be accessible.
• Ransomware staging ground: A VoIP server can be used as a foothold to deploy ransomware or other malware across your network.
• Service disruption: Attackers can disable services, alter call routing, or degrade performance, disrupting customer communication.

In regulated industries, a breach starting from a PBX server can also raise compliance and reporting obligations, especially if sensitive communications or customer data are involved.

---

How the FreePBX Vulnerability Was Exploited

The campaign centers on a command injection vulnerability in certain FreePBX components. While specific technical details may vary by deployment, the general pattern is consistent: user-controllable input was not properly sanitized, allowing attackers to inject operating system-level commands via web requests.

Typical Attack Chain

In many environments, the compromise likely followed a similar sequence:

1. The attacker identifies an internet-exposed FreePBX server running a vulnerable version.
2. They send crafted HTTP requests designed to exploit the command injection flaw.
3. Upon successful exploitation, they execute commands to download and install a web shell on the server.
4. They then use the web shell as a persistent backdoor for further actions, including privilege escalation, data collection, and lateral movement.

Because many FreePBX systems are directly exposed to the internet for remote management or SIP connectivity, they represent an attractive and often under-protected target.

Why Many Systems Remain Infected

The fact that over 900 instances are still infected months after the start of the campaign suggests multiple systemic issues:

• Slow patch adoption: Organizations may not be aware of the vulnerability, or have no formal patch management process for VoIP infrastructure.
• Limited monitoring: PBX systems often fall outside the scope of centralized security monitoring and SIEM tooling.
• Misconfigured exposure: FreePBX admin panels and APIs are sometimes exposed directly to the public internet without proper access controls.
• Insufficient incident response: Even when suspicious activity is noticed, web shells can persist if removal is incomplete.

---

How to Check If Your Sangoma FreePBX Instance Is Compromised

Any organization running Sangoma FreePBX, especially if it is accessible from the internet, should assume potential exposure and perform targeted checks.

Initial Assessment Steps

To begin assessing your environment:

• Identify all FreePBX instances: Inventory every PBX server, including those managed by third parties or hosted in the cloud.
• Check versions and patch levels: Confirm that all instances are running the latest security-patched releases from Sangoma.
• Review internet exposure: Use network scans or cloud firewall rules to determine which hosts have public-facing interfaces.

From there, deeper technical inspection is required to detect web shells or signs of compromise.

Indicators of Web Shell Activity

Security teams and administrators should look for:

• Unfamiliar PHP or script files in web-accessible directories (e.g., with random names or unusual timestamps).
• Suspicious web server logs showing repeated access to unusual URLs or parameters, especially from foreign IP addresses.
• Unexpected outbound connections from the PBX server to external IPs or domains not associated with your provider.
• New or modified cron jobs, services, or startup scripts that you did not configure.

If you lack internal expertise, consider engaging a cybersecurity partner to perform a dedicated compromise assessment on your VoIP infrastructure.

---

Mitigation: Securing Sangoma FreePBX Against Ongoing Attacks

Responding to this campaign requires both immediate incident response for potentially compromised systems and long-term hardening to reduce future risk.

Immediate Actions for Potentially Affected Systems

For any FreePBX instance that may be exposed or outdated:

• Apply all relevant security patches from Sangoma as soon as possible.
• Conduct a full malware and web shell scan on the server, including web directories and system paths.
• Reset administrative credentials and any API tokens associated with the PBX.
• Review call logs and billing records for signs of telephony fraud or abnormal activity.

In high-risk scenarios, a full rebuild of the server from a known-good, patched image may be the safest option, followed by restoration of clean configuration data.

Best Practices for Ongoing Protection

To better protect your VoIP infrastructure against future campaigns:

• Limit exposure: Place the FreePBX admin interface behind VPN or IP allowlists instead of exposing it directly to the internet.
• Implement Web Application Firewalls (WAF): Use a WAF to filter and block malicious HTTP requests targeting known vulnerabilities.
• Integrate into security monitoring: Forward FreePBX and web server logs to your SIEM or centralized logging platform for anomaly detection.
• Harden the server OS: Disable unnecessary services, enforce least privilege, and ensure filesystem and network hardening.
• Regularly audit configurations: Schedule periodic security reviews of SIP trunks, extensions, call routing, and access controls.

---

Conclusion: Treat VoIP as Critical Infrastructure

The discovery of more than 900 compromised Sangoma FreePBX instances underscores a broader reality: VoIP and PBX platforms are high-value targets and must be secured like any other critical system. Web shells deployed via a command injection flaw turn these servers into persistent control points for attackers, with potential impact reaching far beyond telephony.

For both business owners and development or IT teams, this incident is a call to:

• Reassess the exposure and security posture of all communications infrastructure
• Implement disciplined patch and configuration management for PBX systems
• Integrate VoIP platforms into broader cybersecurity monitoring and incident response processes

Organizations that move quickly to identify and remediate compromised FreePBX instances will significantly reduce the risk of fraud, data loss, and disruptive breaches originating from their telephony stack.

---