Securityaffairs
900 Sangoma FreePBX Instances Compromised by CVE-2025-64328 Exploitation
First seen 1 Mar 2026, 12:09 UTC
•



•79% similarity
•36.2
Share:
Export
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Browse articles
Attackers exploited CVE-2025-64328, a command injection vulnerability, affecting 900 Sangoma FreePBX systems. The exploitation resulted in the installation of web shells, with hundreds of instances remaining compromised since attacks began in December 2025.
ThreatCluster AI
Timeline
2025-11-07
CVE-2025-64328 published
2025-11-16
First public PoC released
2025-12-01
Attacks on Sangoma FreePBX instances began
2026-02-03
CVE-2025-64328 added to CISA KEV for active exploitation
2026-03-01
900 Sangoma FreePBX systems reported infected