Sangoma FreePBX, a widely used platform for managing Voice over Internet Protocol (VoIP) phone systems, has suffered a serious security breach. The open-source, web-based platform is maintained by Sangoma Technologies and relies on Asterisk to power its VoIP services for businesses of all sizes. Roughly 900 systems were infected with web shells after attackers exploited a command injection flaw, and hundreds of those instances remain compromised to this day.
The Sangoma FreePBX Vulnerability Explained
The security flaw, rooted in command injection, gave attackers the ability to remotely execute arbitrary code on targeted systems. By leveraging this weakness, threat actors deployed web shells — malicious scripts that grant persistent remote access and control — across a large number of FreePBX instances. The attacks, which began in December 2025, have continued to affect systems that have yet to be patched or remediated.
Web shells are particularly dangerous because they are difficult to detect and can remain active on a compromised server for extended periods. Once installed, they provide attackers with a persistent foothold that can be used to exfiltrate data, pivot further into a network, or launch additional attacks against connected infrastructure.
The Exploitation Timeline and Its Impact on Businesses
The campaign targeting Sangoma FreePBX systems began in December 2025. Despite growing awareness of the threat, a significant number of internet-exposed instances continue to run without the necessary protections in place. Given that FreePBX is widely deployed across business communication infrastructure, the scale of the compromise carries serious operational and security implications for affected organizations.
Key details:
- Command injection vulnerability enabled unauthorized remote code execution
- Over 900 systems were infected with web shells
- Attacks began in December 2025 and compromised systems remain active
- Sangoma FreePBX is an open-source platform built on Asterisk for VoIP management
How to Mitigate the Risk in Sangoma FreePBX Deployments
Security professionals stress that prompt patch management is the most direct response to vulnerabilities of this nature. Applying available security updates to Sangoma FreePBX installations is a critical first step in cutting off active exploitation paths. In parallel, administrators should audit their systems for signs of existing web shell infections, including unexpected files, unusual outbound connections, or unauthorized user activity.
Best Practices for Securing VoIP Infrastructure
Organizations running FreePBX or similar VoIP platforms should take a structured approach to reducing their attack surface:
- Routine Software Updates: Keep all components of the Sangoma FreePBX deployment current with the latest security patches released by Sangoma Technologies.
- Web Shell Detection: Use file integrity monitoring and endpoint detection tools to identify unauthorized scripts or modifications to the system.
- Network Monitoring: Deploy traffic analysis tools to flag suspicious behavior, such as unusual outbound connections or access patterns that suggest remote control activity.
- Access Controls: Restrict administrative interface exposure by placing FreePBX management panels behind a VPN or firewall, limiting access to trusted IP addresses only.
- User Education: Ensure that staff responsible for managing communication systems understand security protocols and are aware of indicators of compromise.
Organizations that depend on Sangoma FreePBX for business communications must treat this threat as an active risk rather than a future concern. With hundreds of systems still infected, the window for remediation is narrow, and the consequences of inaction could extend well beyond the VoIP platform itself.
