CVE-2025-64328 IBM QRadar · QRadar

Detect Sangoma FreePBX OS Command Injection (CVE-2025-64328) in IBM QRadar

Detects exploitation of an OS command injection vulnerability in Sangoma FreePBX. An authenticated or unauthenticated attacker may inject arbitrary OS commands through vulnerable FreePBX web interfaces or API endpoints, leading to remote code execution on the underlying Linux host. This vulnerability is tracked as CVE-2025-64328 and is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip, destinationip, username, "Process Name", "Command", "Parent Process Name"
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%linux%'
  AND ("Parent Process Name" ILIKE '%asterisk%'
    OR "Parent Process Name" ILIKE '%freepbx%'
    OR "Parent Process Name" ILIKE '%httpd%'
    OR "Parent Process Name" ILIKE '%apache2%'
    OR "Parent Process Name" ILIKE '%php%')
  AND ("Process Name" IN ('sh', 'bash', 'dash', 'ksh', 'python', 'python3', 'perl', 'nc', 'curl', 'wget', 'socat', 'mkfifo', 'base64', 'id', 'whoami')
    OR "Command" ILIKE '%/dev/tcp%'
    OR "Command" ILIKE '%bash -i%'
    OR "Command" ILIKE '%python -c%'
    OR "Command" ILIKE '%perl -e%')
LAST 24 HOURS
critical severity medium confidence

QRadar AQL query detecting suspicious processes spawned from FreePBX/Asterisk parent processes on Linux systems, indicating OS command injection.

Data Sources

Linux OS Log SourceSyslogAuditd via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Legitimate administrative scripts triggered by FreePBX cron or module hooks
  • Security scanning or compliance tooling running in the asterisk user context
  • Custom AGI (Asterisk Gateway Interface) scripts that call system utilities

Other platforms for CVE-2025-64328

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FreePBX OS Command Injection via Admin Web Interface Parameter

    Expected signal: Linux audit log entry for execve of 'id' with ppid mapping to httpd/apache2; DeviceProcessEvents showing id or sh spawned from apache2 parent process

  2. Test 2Reverse Shell Establishment via FreePBX Command Injection

    Expected signal: DeviceNetworkEvents showing outbound TCP connection from FreePBX host to ATTACKER_IP:4444 initiated by bash process with asterisk user context; auditd execve of bash with -i flag

  3. Test 3Post-Exploitation Persistence via Cron Job Implant

    Expected signal: File creation or modification event for /var/spool/cron/asterisk; auditd SYSCALL write to cron spool directory by asterisk UID

  4. Test 4Web Shell Deployment Following FreePBX Command Injection

    Expected signal: File creation event for shell.php in FreePBX web root directory with www-data initiating process; subsequent HTTP GET request to shell.php with cmd parameter; DeviceProcessEvents showing id spawned from httpd/apache2

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-64328 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1505.003Web ShellT1071.001Web Protocols

Same Tactic: Initial Access

Popular Detections