Over 900 Sangoma FreePBX Instances Compromised by Web Shells

The Shadowserver Foundation reported that over 900 Sangoma FreePBX instances remain compromised with web shells due to attacks exploiting a command injection vulnerability that began in December 2025. Of the infected systems, 401 are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France. The non-profit organization identified the ongoing compromises but did not specify the exact vulnerability (CVE ID) or the full technical impact. No additional details about the attackers or the web shells' functionality were provided in the available content.