A persistent FreePBX web shell enabling long-term administrative compromise
By Vincent Li | January 28, 2026
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-64328.
Its malicious activity appears to be associated with the hacker group INJ3CTOR3, first identified in 2020, which targeted CVE-2019-19006. In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461. These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments. We assess that this campaign represents recent attack activity and behavior patterns associated with INJ3CTOR3.
The following section provides an in-depth analysis of the related incidents and the EncystPHP web shell.
Incidents
The web shell was delivered via CVE-2025-64328, a post-authentication command-injection vulnerability in the administrative interface of the FreePBX Endpoint Manager.
The exploit originated from Brazil and targeted a victim environment managed by an Indian technology company specializing in cloud solutions, communication services, and IT infrastructure.
Figure 1: FreePBX administrative interface
The attackers downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202, which resolves to the domain crm[.]razatelefonia[.]pro. The associated web page, Raza Telefonia, which appears to be a VoIP management system, includes a login interface.