900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks
Summary
Over 900 Sangoma FreePBX instances are still compromised with web shells following attacks that exploited a command injection vulnerability that began in December 2025. The majority of infected instances are located in the U.S., followed by Brazil, Canada, Germany, and France. The compromises were discovered by the Shadowserver Foundation.
IFF Assessment
Compromised FreePBX instances pose a significant risk to organizations using these systems.
Defender Context
Defenders should prioritize patching vulnerable FreePBX instances and investigate for signs of compromise, including web shell activity. Regularly monitor systems for suspicious behavior and review access logs. This incident underscores the importance of timely patching and robust security monitoring in VoIP environments.