Summary

The Shadowserver Foundation has disclosed that over 900 Sangoma FreePBX instances are compromised by web shells due to a command injection vulnerability. These attacks have been ongoing since December 2025, affecting systems globally.

Key Points

• Over 900 Sangoma FreePBX instances are infected with web shells.
• The attacks exploit a command injection vulnerability identified in December 2025.
• 401 compromised instances are located in the U.S., with significant numbers also in Brazil (51), Canada (43), Germany (40), and France (36).
• The Shadowserver Foundation is the organization that reported these findings.

Analysis

The widespread compromise of Sangoma FreePBX instances highlights a significant security vulnerability that has been actively exploited since late 2025. The geographic distribution of the affected systems indicates a global issue, with a particularly high concentration in the United States. This situation underscores the critical need for organizations using FreePBX to review their security measures and apply necessary patches to mitigate the risk of further exploitation.

Conclusion

IT professionals managing Sangoma FreePBX systems should immediately assess their systems for vulnerabilities, apply all relevant security patches, and monitor for any signs of compromise to prevent further exploitation.