We have published a critical security advisory for rtpengine, a widely-used RTP and media proxy component in telecommunications/real-time communications infrastructure. The vulnerability, tracked as CVE-2025-53399 with a CVSS score of 9.3 (Critical), affects rtpengine versions mr13.3.1.4 and lower.
The Vulnerability
Our advisory details two related vulnerabilities that allow attackers to manipulate RTP (Real-time Transport Protocol) streams in active communications:
- RTP Inject: Enables attackers to inject arbitrary RTP packets into ongoing calls
- RTP Bleed: Allows redirection of media streams to attacker-controlled endpoints
What makes these vulnerabilities particularly concerning is that they can be exploited without requiring man-in-the-middle positioning, significantly lowering the attack complexity for potential threats.
Impact and Scope
The vulnerabilities affect multiple endpoint learning modes and impact both:
- Plaintext RTP communications
- Encrypted SRTP sessions (both SDES and DTLS variants)
Successful exploitation can lead to:
- Media confidentiality breaches - attackers can intercept sensitive audio/video communications
- Media integrity violations - malicious content can be injected into active calls
- Denial of Service attacks by redirecting RTP packets away from legitimate participants
Mitigation Strategies
It’s important to understand that while complete elimination of these vulnerabilities may not always be achievable due to the inherent nature of RTP learning mechanisms in NAT traversal scenarios, the fixes provide significant improvements in security posture. Organizations using rtpengine can implement the following mitigation strategies:
- Upgrade to version mr13.4.1.1 or later, which includes important security improvements
- Review configuration - use either “no-learning” mode or “heuristic” mode with “strict source” flag to reduce attack surface
- Enforce SRTP instead of plaintext RTP - where possible, require encrypted SRTP sessions to provide additional protection against media interception
- For SDES-SRTP deployments - implement the new “recrypt” flag for additional protection
These mitigations significantly reduce the risk while working within the constraints of SIP, RTP, and NAT/internet infrastructure.
Full Technical Details
This blog post provides a high-level overview of the vulnerabilities. For complete technical details, proof-of-concept information, and comprehensive mitigation strategies, please refer to our full advisory:
ES2025-01: Rtpengine RTP Inject and RTP Bleed Vulnerabilities
Acknowledgments
We would like to thank Richard Fuchs, rtpengine’s core developer, for his collaborative approach and dedication in working on these security fixes. His commitment to improving rtpengine’s security posture ensures that the telecommunications community benefits from these important mitigations.
Organizations relying on rtpengine for their real-time communications infrastructure should prioritize implementing these mitigation strategies to protect the confidentiality and integrity of their communications while understanding the inherent challenges of RTP learning in NAT environments.