Attackers Target FreePBX Systems in Netherlands with EncystPHP Webshell
AI-generated from multiple sources. Verify before acting on this reporting.
AMSTERDAM — Cyber attackers are actively scanning for and deploying the EncystPHP webshell on vulnerable FreePBX systems across the Netherlands, security researchers confirmed on Sunday.
The campaign, detected on April 13, 2026, involves automated tools probing network infrastructure for unpatched versions of the open-source IP telephony platform. Once a vulnerability is identified, the attackers install the EncystPHP backdoor, granting them unauthorized remote access to the compromised servers. The webshell allows for command execution, file manipulation, and potential lateral movement within the affected networks.
FreePBX, a widely used interface for managing Asterisk-based PBX systems, has been a frequent target for exploitation due to its prevalence in small to medium-sized businesses and government entities. The EncystPHP webshell is a known malicious tool designed to maintain persistence on compromised systems, often serving as a foothold for further attacks or data exfiltration.
Security experts have noted a surge in scanning activity originating from various IP addresses, with a significant concentration of attempts directed at Dutch infrastructure. The attacks appear to be opportunistic, targeting systems that have not applied recent security patches. FreePBX developers have previously released updates addressing critical vulnerabilities, but many organizations remain exposed due to delayed patching cycles.
The Netherlands has become a focal point for this specific campaign, though the geographic scope of the scanning activity suggests a broader intent. Authorities have not yet confirmed the identity of the threat actors behind the operation. The sophistication of the scanning mechanisms indicates a coordinated effort, potentially linked to organized cybercrime groups seeking to monetize compromised systems.
Victims of the attack may experience unauthorized access to their telephony systems, leading to potential service disruptions, interception of communications, or the use of compromised infrastructure for launching further attacks. Organizations are urged to verify the integrity of their FreePBX installations and ensure all systems are updated to the latest versions.
As of Sunday afternoon, no major service outages have been reported, but the potential impact remains significant. The EncystPHP webshell is known to be difficult to detect without specialized monitoring tools, raising concerns about the number of systems that may already be compromised.
Investigations are ongoing to determine the full extent of the campaign and identify the actors responsible. Security firms are working with affected organizations to remediate the vulnerabilities and remove the malicious webshells. The incident highlights the ongoing risks posed by unpatched software and the need for robust network monitoring.
Questions remain regarding the ultimate objectives of the attackers and whether the compromised systems are being used for additional malicious activities. As the situation develops, further details on the scope and impact of the campaign are expected to emerge.