900 Sangoma FreePBX Instances Infected with Web Shells

Attackers exploited a post-authentication command injection vulnerability in the endpoint manager interface of Sangoma FreePBX, leading to the infection of approximately 900 instances with web shells. The vulnerability requires authentication, indicating attackers likely gained credentials or bypassed authentication mechanisms prior to exploitation. No specific CVE ID, dates, or geographic distribution of affected systems were provided in the report. The impact involves unauthorized access and potential remote control of compromised FreePBX systems via implanted web shells. Technical details are limited to the exploitation of the endpoint manager’s interface.