The EncystPHP webshell is a PHP-based backdoor favored by attackers targeting vulnerable FreePBX systems. It uses a parameter named "md5" in HTTP GET requests to authenticate access, where the parameter value must match a hard-coded secret string in the webshell code. Attackers scan for this webshell by sending requests to specific FreePBX module URLs. Upon successful exploitation, the webshell installs multiple backdoor user accounts with predefined password hashes, enabling persistent unauthorized access. The threat actor IP address identified is from the Netherlands and is also associated with other FreePBX exploit attempts. This webshell was previously documented by Fortinet in January 2026 and continues to be actively scanned for in April 2026.

Successful exploitation of the EncystPHP webshell on vulnerable FreePBX systems allows attackers to execute arbitrary commands and establish persistent backdoor user accounts. This compromises system integrity and confidentiality by enabling unauthorized remote access and control. The presence of multiple backdoor accounts increases the risk of long-term undetected compromise. There are no confirmed reports of widespread exploitation in the wild beyond scanning activity as of the latest report.

No official patch or vendor advisory is provided in the source data. Users of FreePBX should proactively check for the presence of the listed backdoor accounts with the specified password hashes and remove any unauthorized accounts. Additionally, securing FreePBX systems by applying all relevant security updates, disabling unused modules, and restricting access to administrative interfaces is recommended. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.