CVE-2025-64328

Sangoma FreePBX OS Command Injection (CVE-2025-64328)

Initial Access Execution Persistence Last updated:

Detects exploitation of an OS command injection vulnerability in Sangoma FreePBX. An authenticated or unauthenticated attacker may inject arbitrary OS commands through vulnerable FreePBX web interfaces or API endpoints, leading to remote code execution on the underlying Linux host. This vulnerability is tracked as CVE-2025-64328 and is listed in CISA's Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Sangoma
Product
FreePBX

Weakness (CWE)

CWE-78

Timeline

Disclosed
February 3, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2025-64328 Sangoma FreePBX OS Command Injection (CVE-2025-64328)?

Sangoma FreePBX OS Command Injection (CVE-2025-64328) (CVE-2025-64328) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Sangoma FreePBX OS Command Injection (CVE-2025-64328), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Monitor, Microsoft Sentinel. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
let FreePBXProcesses = dynamic(["asterisk", "freepbx", "amportal", "php", "httpd", "apache2", "nginx"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessParentFileName has_any (FreePBXProcesses)
    or InitiatingProcessFileName has_any (FreePBXProcesses)
| where FileName in~ ("sh", "bash", "dash", "ksh", "zsh", "python", "python3", "perl", "nc", "ncat", "netcat", "curl", "wget", "base64", "id", "whoami", "uname")
| where ProcessCommandLine has_any ("wget", "curl", "chmod", "bash -i", "/dev/tcp", "python -c", "perl -e", "nc -e", "mkfifo", "base64 -d", "socat", "id;", "whoami;")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc

Detects shell spawning or suspicious command execution from FreePBX/Asterisk parent processes, indicative of OS command injection exploitation.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Azure Monitor Microsoft Sentinel

Required Tables

DeviceProcessEvents

False Positives

  • Legitimate system administration scripts run under the asterisk or freepbx service account
  • Automated backup or maintenance jobs that invoke shell commands via the FreePBX cron interface
  • Security scanning tools running on the PBX host that enumerate running processes

Sigma rule & cross-platform mapping

The detection logic for Sangoma FreePBX OS Command Injection (CVE-2025-64328) (CVE-2025-64328) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-64328 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-64328

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FreePBX OS Command Injection via Admin Web Interface Parameter

    Expected signal: Linux audit log entry for execve of 'id' with ppid mapping to httpd/apache2; DeviceProcessEvents showing id or sh spawned from apache2 parent process

  2. Test 2Reverse Shell Establishment via FreePBX Command Injection

    Expected signal: DeviceNetworkEvents showing outbound TCP connection from FreePBX host to ATTACKER_IP:4444 initiated by bash process with asterisk user context; auditd execve of bash with -i flag

  3. Test 3Post-Exploitation Persistence via Cron Job Implant

    Expected signal: File creation or modification event for /var/spool/cron/asterisk; auditd SYSCALL write to cron spool directory by asterisk UID

  4. Test 4Web Shell Deployment Following FreePBX Command Injection

    Expected signal: File creation event for shell.php in FreePBX web root directory with www-data initiating process; subsequent HTTP GET request to shell.php with cmd parameter; DeviceProcessEvents showing id spawned from httpd/apache2

Unlock Pro Content

Get the full detection package for CVE-2025-64328 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1505.003Web ShellT1071.001Web Protocols

Same Tactic: Initial Access

Popular Detections