900 Sangoma FreePBX Instances Compromised by CVE-2025-64328 Exploitation

900 Sangoma FreePBX Instances Compromised by CVE-2025-64328 Exploitation

First seen 1 Mar 2026, 12:09 UTC Feeds.FeedburnerSecurityaffairs.CoSecurityaffairsRescanaScworld 79% similarity 36.2

Article Content

Browse articles
ThreatCluster

Attackers exploited CVE-2025-64328, a command injection vulnerability, affecting 900 Sangoma FreePBX systems. The exploitation resulted in the installation of web shells, with hundreds of instances remaining compromised since attacks began in December 2025.

ThreatCluster AI

Timeline

2025-11-07
CVE-2025-64328 published
2025-11-16
First public PoC released
2025-12-01
Attacks on Sangoma FreePBX instances began
2026-02-03
CVE-2025-64328 added to CISA KEV for active exploitation
2026-03-01
900 Sangoma FreePBX systems reported infected

Community

Browse all →