diff --git a/http/exposed-panels/freepbx-administration-panel.yaml b/http/exposed-panels/freepbx-administration-panel.yaml
index e54c91a45aa..91467a2635a 100644
--- a/http/exposed-panels/freepbx-administration-panel.yaml
+++ b/http/exposed-panels/freepbx-administration-panel.yaml
@@ -20,9 +20,9 @@ info:
       - http.favicon.hash:-1908328911
       - http.favicon.hash:1574423538
     fofa-query:
-     - title="FreePBX"
-     - icon_hash="-1908328911"
-     - icon_hash="1574423538"
+      - title="FreePBX"
+      - icon_hash="-1908328911"
+      - icon_hash="1574423538"
   tags: freepbx,panel,sangoma
 
 http:
diff --git a/http/vulnerabilities/backdoor/freepbx-cleanup-backdoor.yaml b/http/vulnerabilities/backdoor/freepbx-cleanup-backdoor.yaml
new file mode 100644
index 00000000000..4475752ed42
--- /dev/null
+++ b/http/vulnerabilities/backdoor/freepbx-cleanup-backdoor.yaml
@@ -0,0 +1,43 @@
+id: freepbx-cleanup-backdoor
+
+info:
+  name: FreePBX - Backdoor
+  severity: high
+  author: darses
+  description: |
+    FreePBX backdoor cleanup script was detected.
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: sangoma
+    product: freepbx
+    shodan-query:
+      - http.title:"FreePBX"
+      - http.favicon.hash:-1908328911
+      - http.favicon.hash:1574423538
+    fofa-query:
+     - title="FreePBX"
+     - icon_hash="-1908328911"
+     - icon_hash="1574423538"
+  reference:
+    - https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
+  tags: backdoor,sangoma,freepbx
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.clean.sh"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - LOGS
+          - "Processing file"
+          - "sed -i --follow-symlinks"
+          - "/var/log/asterisk/freepbx_security.log"
+        condition: and
diff --git a/workflows/freepbx-workflow.yaml b/workflows/freepbx-workflow.yaml
new file mode 100644
index 00000000000..ccfb0a196fa
--- /dev/null
+++ b/workflows/freepbx-workflow.yaml
@@ -0,0 +1,11 @@
+id: freepbx-workflow
+
+info:
+  name: Freepbx Security Checks
+  author: darses
+  description: A simple workflow that runs all FreePBX related nuclei templates on a given target.
+
+workflows:
+  - template: http/exposed-panels/freepbx-administration-panel.yaml
+    subtemplates:
+      - tags: freepbx