IP PBX Zero-Day RCE Exploit Offered on Cybercrime Forum | Femto Security Threat Intelligence

Key Takeaways

A threat actor is selling a pre-authentication remote code execution zero-day exploit targeting IP PBX software with over 10,000 active installations.
Financially motivated threat groups like INJ3CTOR3 leverage these exploits to deploy self-healing PHP web shells like JOMANGY and conduct toll fraud.
Compromised telephony infrastructure is abused to bypass SIP trunk constraints and generate massive carrier charges via automated premium-rate calling.

Original source screenshot for IP PBX Zero-Day RCE Exploit Offered on Cybercrime Forum — Original source screenshot - forum.exploit.biz

CVE-2025-57819 Vulnerability Severity

Critical pre-authentication SQL injection and authentication bypass in FreePBX Endpoint module used for initial access.

0.0

/ 10.0 cvss

Critical

Threat Actor Profile: INJ3CTOR3

INJ3CTOR3

aka INJ3CTOR3 Group

Origin: Unknown
Motivation: Financial (Premium-rate telephony toll fraud)
Targets: Exposed IP PBX installationsSangoma FreePBXAsterisk-based VoIP frameworks
TTPs: Pre-auth RCE exploitsAutomated network scanningSelf-healing web shell installation (JOMANGY)Competing web shell evictionSystem command execution via database triggers

IP PBX Attack Lifecycle & Toll Fraud

1Initial Scanninglow
Automated discovery of exposed web management portals.
low
2Exploitationcritical
Execution of pre-authentication RCE exploit (such as CVE-2025-57819) to bypass logins.
critical
3Stager Deploymenthigh
Bash stager script (`.clean.sh`) is downloaded to establish local execution foothold.
high
4Defense Evasionmedium
Deletes 50+ rival web shells, blocks competing C2 IPs, and scrubs security access logs.
medium
5Malware Setupcritical
Installs highly obfuscated JOMANGY PHP shell and seeds 18 backdoor OS accounts.
critical
6Monetization (Toll Fraud)high
Bypasses trunk limits to place thousands of high-volume calls to premium-rate lines.
high

MITRE ATT&CK Mapping: IP PBX Exploitation

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1053.003

Scheduled Task/Job: Cron

Persistence

T1505.003

Server Software Component: Web Shell

T1078

Valid Accounts

Defense Evasion

T1222

File and Directory Permissions Modification

T1070

Indicator Removal on Host

Impact

T1496

Resource Hijacking

Technical Indicators of Compromise

cve
CVE-2025-57819
Pre-auth SQL injection/auth bypass in FreePBX Endpoint module (CVSS 9.8)
cve
CVE-2025-57819
Pre-auth SQL injection/auth bypass in FreePBX Endpoint module (CVSS 9.8)
cve
CVE-2025-64328
Post-auth command injection in Endpoint Manager (CVSS 8.6)
cve
CVE-2025-64328
Post-auth command injection in Endpoint Manager (CVSS 8.6)
cve
CVE-2026-46376
Unauthenticated UCP template credential access (CVSS 9.3)
cve
CVE-2026-46376
Unauthenticated UCP template credential access (CVSS 9.3)
ip
45.234.176.202
Malicious Command & Control (C2) Server
ip
45.234.176.202
Malicious Command & Control (C2) Server
domain
crm.razatelefonia.pro
Malicious C2 Domain
domain
crm.razatelefonia.pro
Malicious C2 Domain
url
/var/www/html/.clean.sh
Malicious Bash stager script path
url
/var/www/html/.clean.sh
Malicious Bash stager script path

Incident Remediation & Containment Checklist

Progress0 / 4 (0%)

Isolate Management Portals
Immediately pull the web administrative GUI behind a secure VPN with multi-factor authentication; restrict access via firewall rules.
Deploy Fresh OS Image
Perform a complete system re-imaging from clean media. JOMANGY's six self-healing processes cannot be reliably cleaned manually.
Restore Inspected Backups
Import configurations and databases from older, manually audited, known-good historical backups.
Comprehensive Secret Rotation
Rotate all administrative portal passwords, database access credentials, and SIP trunk authentication secrets.

How to Defend Against Similar Threats

Isolate all IP PBX web management portals from the public internet immediately and restrict administrative access through secure VPN pathways.
Conduct a complete operating system rebuild from clean media if a compromise is confirmed, as manual cleanup is ineffective against JOMANGY.
Rotate all system passwords, configuration credentials, database access keys, and SIP trunk authentication secrets post-reinstallation.

Threat Intel FAQ

What makes the JOMANGY backdoor so difficult to remove from a compromised IP PBX system?

JOMANGY is highly resilient because it uses six independent, self-healing persistence mechanisms that continuously monitor and rebuild each other. These include cron-based polling, shell profile injections, immutable crontabs, a background watchdog, redundant hidden PHP files, and a self-reinstalling PHP executor. Because of this complex framework, manual deletion of individual files is ineffective, as remaining components automatically restore deleted parts. A complete operating system reinstall is the only reliable containment method.

Why do threat actors target IP PBX systems rather than standard web servers?

IP PBX systems are targeted primarily for direct financial monetization. By gaining administrative control over an organization's SIP trunks, threat groups can bypass outbound call limits and place high-volume automated calls to premium-rate international numbers they own. This telephony toll fraud can generate massive financial losses for the victim in carrier charges within a matter of hours. Additionally, these systems often serve as ideal trust pivots for moving laterally inside corporate networks.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.