Thanks to collaboration with the Canadian Centre for Cyber Security we can share more comprehensive information on FreePBX instances running webshells, with still over 900 IPs seen compromised.

Dashboard Victim overview (Tree map) https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=freepbx-compromised%2B&data_set=count&scale=log&auto_update=on

IP data in our Compromised Website report, tagged 'freepbx-compromised' - https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Compromised FreePBX tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=freepbx-compromised%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

These compromises are likely via CVE-2025-64328

Additional background from Fortinet: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp