Unmasking the Persistent Threat: Web Shells Hijack 900+ Sangoma FreePBX Instances

Telephony infrastructure is often the overlooked backbone of enterprise communication, yet it remains a prime target for cybercriminals seeking a foothold into corporate networks. Recent intelligence from the Shadowserver Foundation paints a stark picture of this reality: over 900 Sangoma FreePBX instances are currently actively compromised, harboring web shells that allow attackers persistent remote control.

The Silent Onslaught on VoIP

While many organizations focus their defensive efforts on endpoints and cloud workloads, Unified Communications (UC) servers like FreePBX frequently sit exposed to the internet, vulnerable to exploitation. The ongoing attacks leveraged a critical command injection vulnerability that began being exploited in December 2025. Despite patches likely being available, the remediation rate has been insufficiently slow, leaving hundreds of servers—particularly in the United States—under hostile control.

The geographical distribution is significant, with 401 infected instances located in the U.S. alone, followed by Brazil, Canada, Germany, and France. This widespread infection suggests that the threat actors are automating their scanning and exploitation efforts, targeting any unpatched system globally.

Deep Dive: Attack Vector and Persistence

The core of this campaign is a command injection vulnerability. In a FreePBX environment, this type of flaw typically allows an attacker to execute arbitrary system commands via a specific web interface parameter. Once the command injection is successful, the attacker's primary goal is persistence.

The TTPs (Tactics, Techniques, and Procedures)

Rather than simply defacing the site or causing immediate disruption, attackers are deploying web shells. These are malicious scripts uploaded to the server that act as a backdoor. Because the web shell runs within the web server process (often Apache or Nginx with www-data privileges), it can blend in with legitimate traffic.

Why web shells?

1. Firewall Evasion: Traffic to the web shell looks like standard HTTP/HTTPS POST requests, bypassing standard firewall rules.
2. Proxy Capabilities: Attackers can use the compromised VoIP server as a pivot point to attack internal systems or launch attacks against external targets, masking the attacker's true origin IP.
3. Credential Harvesting: VoIP servers often contain configuration files with SIP credentials or database connections that can be scraped for lateral movement.

Detection and Threat Hunting

Identifying these compromised instances requires looking beyond standard signature-based antivirus. We must hunt for the behaviors associated with web shells and the specific artifacts of the command injection attempts.

1. Hunt for Recent PHP Modifications

Web shells are often PHP files in a web directory with names meant to look innocuous or obscure. Use the following Bash script on your FreePBX servers to identify PHP files modified in the last 14 days that contain common web shell functions like eval, base64_decode, or system.

#!/bin/bash
# Search for recently modified PHP files containing suspicious functions
find /var/www/html -name "*.php" -mtime -14 -type f -exec grep -lE "eval\(|base64_decode\(|shell_exec\(|passthru\(|system\(" {} \;

2. KQL Query for Suspicious URI Patterns

If you are forwarding web proxy or firewall logs to Microsoft Sentinel, use this KQL query to detect potential web shell activity. This looks for high entropy (random looking) strings in URIs or specific parameters often associated with command injection.

// Hunt for potential FreePBX command injection and web shell access
let SuspiciousKeywords = dynamic(["eval", "exec", "system", "passthru", "shell_exec", "base64_decode"]);
DeviceNetworkEvents
| where RemotePort in (80, 443, 8088, 443)
| where ActionType == "HttpRequest"
| where RequestUrl has_any("admin", "config", "ajax")
| extend KeywordMatch = iff(RequestUrl has_any(SuspiciousKeywords) or RequestBody has_any(SuspiciousKeywords), "Match", "NoMatch")
| where KeywordMatch == "Match"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RequestUrl, RequestBody, RemoteIP
| order by Timestamp desc

3. PowerShell Audit for Administrative Users

Attackers often create new users or modify existing administrative groups to maintain access. Run this PowerShell check to audit for unusual local group memberships on Windows-based management consoles or adjacent systems.

# Get members of the local Administrators group and check for discrepancies
Get-LocalGroupMember -Name 'Administrators' | 
    Select-Object Name, SID, PrincipalSource | 
    Where-Object { $_.PrincipalSource -eq 'Local' -and $_.Name -notmatch 'Administrator' } | 
    Format-Table -AutoSize

Mitigation and Remediation

If your systems are identified as vulnerable or compromised, immediate action is required.

1. Immediate Isolation: If a web shell is confirmed, disconnect the VoIP server from the internet immediately. Do not simply reboot the server, as the persistence mechanism will remain.
2. Patch Management: Apply the latest security updates provided by Sangoma for FreePBX immediately. This vulnerability was exploited starting in late 2025, so ensure all patches since that date are applied.
3. Credential Reset: Assume that SIP trunk credentials and database passwords stored on the server have been exfiltrated. Rotate all secrets associated with the PBX.
4. Web Shell Removal: Simply deleting the file is often insufficient as attackers may leave "backup" shells. Conduct a full forensic analysis or restore the web directory from a known clean backup prior to the December 2025 compromise window.
5. Network Segmentation: Restrict management interfaces (port 80/443) to specific management IP subnets via firewall rules. Never expose the FreePBX admin interface directly to the public internet without a VPN or Zero Trust Access solution.

Conclusion

The Shadowserver report serves as a critical reminder: legacy infrastructure and communication platforms are high-value targets. With over 900 instances still broadcasting their compromise to the world, the race is on to identify and remediate these nodes before they are leveraged for larger, more destructive campaigns.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub