The Shadowserver Foundation has reported that more than 900 instances of Sangoma FreePBX, a widely used open-source telephony platform, remain compromised due to web shell attacks exploiting a command injection vulnerability that has persisted since December 2025. The geographical distribution of these affected instances reveals a heavy concentration in the U.S. with 401 instances, followed by Brazil, Canada, Germany, and France. This ongoing threat underscores the critical need for organizations to regularly assess their cybersecurity postures and patch known vulnerabilities promptly.
For businesses leveraging FreePBX or similar systems, the implications are profound. The presence of web shells allows attackers to maintain persistent access to compromised systems, potentially leading to data breaches, unauthorized communications, and further exploitation. This situation emphasizes the importance of implementing robust security measures, including regular software updates, intrusion detection systems, and employee training on recognizing suspicious activity. As organizations increasingly rely on digital communication solutions, addressing such vulnerabilities is essential not only for protecting sensitive information but also for maintaining trust with customers and stakeholders in a landscape where cybersecurity is paramount.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html)*