Detect Sangoma FreePBX OS Command Injection (CVE-2025-64328) in Microsoft Sentinel
Detects exploitation of an OS command injection vulnerability in Sangoma FreePBX. An authenticated or unauthenticated attacker may inject arbitrary OS commands through vulnerable FreePBX web interfaces or API endpoints, leading to remote code execution on the underlying Linux host. This vulnerability is tracked as CVE-2025-64328 and is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
let FreePBXProcesses = dynamic(["asterisk", "freepbx", "amportal", "php", "httpd", "apache2", "nginx"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessParentFileName has_any (FreePBXProcesses)
or InitiatingProcessFileName has_any (FreePBXProcesses)
| where FileName in~ ("sh", "bash", "dash", "ksh", "zsh", "python", "python3", "perl", "nc", "ncat", "netcat", "curl", "wget", "base64", "id", "whoami", "uname")
| where ProcessCommandLine has_any ("wget", "curl", "chmod", "bash -i", "/dev/tcp", "python -c", "perl -e", "nc -e", "mkfifo", "base64 -d", "socat", "id;", "whoami;")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated descDetects shell spawning or suspicious command execution from FreePBX/Asterisk parent processes, indicative of OS command injection exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate system administration scripts run under the asterisk or freepbx service account
- Automated backup or maintenance jobs that invoke shell commands via the FreePBX cron interface
- Security scanning tools running on the PBX host that enumerate running processes
Other platforms for CVE-2025-64328
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FreePBX OS Command Injection via Admin Web Interface Parameter
Expected signal: Linux audit log entry for execve of 'id' with ppid mapping to httpd/apache2; DeviceProcessEvents showing id or sh spawned from apache2 parent process
- Test 2Reverse Shell Establishment via FreePBX Command Injection
Expected signal: DeviceNetworkEvents showing outbound TCP connection from FreePBX host to ATTACKER_IP:4444 initiated by bash process with asterisk user context; auditd execve of bash with -i flag
- Test 3Post-Exploitation Persistence via Cron Job Implant
Expected signal: File creation or modification event for /var/spool/cron/asterisk; auditd SYSCALL write to cron spool directory by asterisk UID
- Test 4Web Shell Deployment Following FreePBX Command Injection
Expected signal: File creation event for shell.php in FreePBX web root directory with www-data initiating process; subsequent HTTP GET request to shell.php with cmd parameter; DeviceProcessEvents showing id spawned from httpd/apache2
Unlock Pro Content
Get the full detection package for CVE-2025-64328 including response playbook, investigation guide, and atomic red team tests.