Unveiling the Weaponized Web Shell EncystPHP

FortiGuard Labs discovered an active campaign leveraging CVE-2025-64328 in FreePBX Endpoint Manager to deliver a Base64-encoded PHP web shell named "EncystPHP." The dropper modifies file permissions, harvests credentials, deletes competing web shells, creates a root-level backdoor account (newfpbx), injects an SSH key, establishes multiple cron-based persistence mechanisms, and deploys the web shell to numerous FreePBX/Elastix paths to enable remote command execution and abuse of telephony resources; the report includes IOCs, MITRE ATT&CK mappings, and Fortinet detections/mitigations.