Hypothetically, if an attacker from the public internet could login to the IPBX / FreePBX 17 web login page (which is less likely when you restrict access to tailscale machine members only), and the attacker obtains a "web shell", it would be as the user "www-data", then they could try and run the exploit, and get promoted to user "root", but only if their OS has not received the patched linux kernel, or the mitigation to disable the
algif_aead kernel module.
In fact, a web shell EncystPHP recently deployed against FreePBX, allows an attacker to:
- Execute arbitrary system commands with the permissions of the web server (e.g.,
www-data or apache).
- Upload, download, or edit files.
- Establish persistent access through
cron jobs or backdoor accounts.
- Initiate outbound activity (e.g., send thousands of paid spam emails, network scanning),
In early 2026, threat actors are targeting FreePBX servers by using
CVE-2025-64328, a post-authentication command-injection vulnerability in the Endpoint Manager module.
More details at GitHub Security Advisory.
- Attackers use valid credentials (obtained via other means) or other vulnerabilities to first gain access.
- A base64-encoded PHP payload is sent via HTTP POST to ajax.php, creating a new malicious file in
/var/www/html/admin/views/.
- The shell often sets restrictive permissions (
chmod 000) on the file to hide it, while creating cron jobs to ensure the shell is re-downloaded if removed!
I've noticed attack activity patterns on this IPBX 2025 instance. With no call activity, PM2, node, webmin and asterisk are intermittently higher CPU than one would expect. After some hours it is totally non-responsive and requires reboot thru the VM control panel.
EDIT: From an earlier attempt to provide remote access, I have OpenVPN and KnockD installed and running, which are probably providing too much of an attack surface to internet scanning hackers & so first move is to disable these two services and see if the heavy CPU load from these attacks drops off.