It’s July - peak summer season - but it won’t stop raining where we’re located! So we’ve prepared some newsletter content for your entertainment.
In this edition, we cover:
- We have three news items from Enable Security:
- An advisory for rtpengine
- ClueCon attendance and presentation next week
- RTC.ON conference, presentation and discount code
- Reverse Engineering and Cracking a 2006 BT Home Hub for VoIP!
- Discussion of the Jitsi Meet privacy feature / issue
- Short news covering Mitel, Cisco, Grandstream and WebRTC vulnerabilities
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical)
After months in the making, we published an advisory about security fixes included in the latest rtpengine versions. If you’re using rtpengine, we recommend:
- Upgrade to version mr13.4.1.1 or later, which includes important security improvements
- Review configuration - use either “no-learning” mode or “heuristic” mode with “strict source” flag to reduce attack surface
- Enforce SRTP instead of plaintext RTP - where possible, require encrypted SRTP sessions to provide additional protection against media interception
- For SDES-SRTP deployments - implement the new “recrypt” flag for additional protection
The heuristic mode fixes have been backported to LTS versions, but please review the advisory and apply necessary configuration changes. This requires more than just upgrading to a fixed version.
Next week is ClueCon 2025!
With the tagline “for developers by developers”, ClueCon is a conference that I have wanted to attend since a good while! This will be my first time attending and I will be giving a talk too.
My presentation is called “Media Security Is Hard: The Many Ways RTP & SRTP Still Fail Us”.
Here’s the synopsis:
Think your media plane is bullet-proof? Ongoing security assessments - and real-world exploits - keep revealing how media vulnerabilities such as RTP Bleed, RTP Inject, and RTP Flood attacks still disrupt and compromise even today’s “hardened” media servers handling both RTP and SRTP traffic. This talk will be a fast-paced tour of these stubborn weaknesses (plus a few new twists) and the field-tested techniques you’ll need to detect and stop them in 2025 deployments.
I look forward to meeting some of you at the open-source conference next week. If you’re not attending, the presentations may be available via live stream.
Speaking at the RTC.ON conference in Kraków in September
If you’re a WebRTC enthusiast, there’s a conference in Poland all about audio and video and its called RTC.ON. I’ll be there in September, giving a presentation about TURN security issues and security best practices.
If you haven’t booked your ticket yet, there’s a 15% discount code for conference tickets that they gave to the audience of this newsletter. Use sandro15 as the code. No, it does not mean I’m 15 years old—this is not IRC. The code applies to all ticket types.
What’s happening?
From E-Waste to VoIP: Reverse Engineering and Cracking a 2006 BT Home Hub
A new YouTube video by TheUplinkPort (thanks to Dan Jenkins for the tip) demonstrates how to repurpose an old BT home hub for your own VoIP infrastructure. The process involves reverse engineering, VoIP configuration, Wireshark analysis, and attempting to crack SIP digest hashes using hashcat. The reverse engineering techniques aren’t advanced, but it’s an honest and realistic exploration of a fun topic.
Firefox exposes getFingerprints() method of the RTCCertificate interface
The following caught our attention from the Firefox Security and Privacy Newsletter:
WebRTC Security: The getFingerprints() method of the RTCCertificate interface is now available in Firefox 138. Applications can use this API to retrieve certificate fingerprints, which may be shared out-of-band to identify specific users or browsers across WebRTC sessions (Bug 1525241).
This is a feature, not a bug or vulnerability.
Jitsi Meet: One-Click Audio/Video Capture Vulnerability
Zimzi wrote a blog post about a Jitsi feature that bypasses the pre-join screen found on web conferencing platforms like Jitsi and Google Meet. These pre-join screens serve as security and privacy mechanisms because most users permanently grant video and voice permissions to popular web conferencing platforms. Without these screens, anyone visiting such websites (e.g. meet.google.com or meet.jit.si) could inadvertently transmit video and audio from their webcam and microphone. Conferencing platforms can be embedded or hidden in the background by other websites, which can be either a legitimate feature (e.g., Element/Matrix may use an embedded Jitsi Meet widget) or a privacy concern by acting like a spying device.
The feature Zimzi blogged about is the prejoinConfig setting, which can be disabled by appending #config.prejoinConfig.enabled=false to any Jitsi Meet URL. Although Jitsi developers originally said this was an intentional feature rather than a security or privacy issue, they appear to have changed their mind a few days ago, posting:
Jitsi dev here. We are currently revisiting this. It exists because in cases such as when Jitsi Meet is being embedded there are pre-join pages provided externally by the “host” site. We will be limiting how this can be used going forward.
And:
You are right, we dropped the ball on this one. We’ll try and do better.
The main issue is that browsers remember permissions by domain, which is normally useful. Most of Jitsi’s competitors require users to go through a configuration screen and click a join button before starting a call. Jitsi does this by default too, but they allowed this “feature” to bypass it.
This is a feature that has privacy implications—it remains functional while creating privacy concerns.
When I checked https://meet.jit.si/ in preparation for this newsletter, this behavior had not yet changed. Keep an eye on the related GitHub issue for updates on this.
Security Updates and Vulnerability News Round-Up
MX-ONE Authentication Bypass Vulnerability
A critical vulnerability has been discovered in Mitel’s MX-ONE system that could allow attackers to bypass authentication and gain unauthorized access to user or administrative accounts. This poses a serious risk to affected systems.
MiCollab SQL injection Vulnerability
A high severity SQL injection vulnerability has been identified in Mitel’s MiCollab platform. While exploitation requires authentication, the flaw still poses significant security risks to authenticated users and system integrity.
Use after free in WebRTC in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-7657 is a still-private vulnerability related to a “use after free” issue in WebRTC within Google Chrome. The flaw could enable remote attackers to exploit heap corruption by leveraging a specially crafted HTML page, potentially resulting in arbitrary code execution or browser crashes.
Cisco Unified Communications Manager Static SSH Credentials Vulnerability
Cisco disclosed a critical vulnerability (CVSS score of 10) affecting specific Engineering Special (ES) releases of Cisco Unified Communications Manager and Unified CM SME, versions 15.0.1.13010-1 through 15.0.1.13017-1. The flaw involved a static administrative SSH account—essentially a backdoor—which could allow attackers to gain unauthorized access. While extremely serious for affected systems, the scope is limited, as these ES releases are typically provided only to customers engaged in TAC cases requiring early hotfixes or back-ports. Despite significant media coverage, the real-world exposure appears to be relatively narrow.
Grandstream UCM6510 weak lockout
A vulnerability has been identified in the web interface of the Grandstream UCM6510 IP PBX, affecting devices running firmware version 1.0.20.52 or earlier. The issue involves a weak account lockout mechanism, potentially allowing brute-force attacks against user credentials. Administrators are advised to update their firmware to mitigate the risk.
Incorrect Access Control on Grandstream GXP1628
The Grandstream GXP1628 VoIP phone is vulnerable to an incorrect access control issue in firmware versions 1.0.4.130 and below. This vulnerability allows unauthorized directory listing, representing a classic example of poor access control in embedded device firmware.
Cisco Unified Intelligence Center Arbitrary File Upload Vulnerability
A vulnerability in Cisco Unified Intelligence Center allows an authenticated attacker to upload arbitrary files, potentially leading to remote code execution. This flaw affects multiple Cisco VoIP solutions, including Unified Contact Center Enterprise and Unified Contact Center Express (Unified CCX), which bundle the Intelligence Center as part of their software. Successful exploitation requires authentication but can yield significant security impact.
Poly Clariti Manager - Multiple Security Vulnerabilities
Poly Clariti Manager, a platform for IT administrators to centrally manage Poly communication devices, was found to contain multiple security vulnerabilities after a security assessment by the NATO Cyber Security Center. A total of 10 CVEs were issued, with the most severe being an SQL injection flaw that requires authentication to exploit. While the issues are notable, the impact is somewhat mitigated by the requirement for authenticated access.
Thanks to Vulners and other third parties for providing vulnerability source material.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share.
To subscribe: here