Skip to main content
RTC Security Newsletter

Curated VoIP and WebRTC security news, research and updates by Enable Security.

Subscribe

November 2025: VoIP and WebRTC vulnerability roundup

Published on Nov 28, 2025

Welcome to the November edition of the RTCSec newsletter. It’s a quieter month, with less VoIP and WebRTC news than usual.

In this edition:

  • Security fixes from Cisco, FreePBX, Firefox, Jitsi, and PJSIP
  • Unpatched vulnerabilities in an end-of-life AudioCodes FAX/IVR product
  • Microsoft Teams impersonation and spoofing vulnerabilities
  • Remote acoustic sensing research (the spooky, secret-service kind)
  • And a few more items

The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:

  • Forward it to those who may find this newsletter particularly fruitful.
  • Let us know if there are any RTC security news items we should cover.

To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.

Security Updates and Vulnerability News Round-Up

Cisco Unified CCX Critical RCE Vulnerabilities (CVE-2025-20354, CVE-2025-20358)

Two critical vulnerabilities in Cisco Unified Contact Center Express (UCCX) allow unauthenticated attackers to execute remote code. CVE-2025-20354 (CVSS 9.8) affects the Java RMI process and allows unauthenticated attackers to execute root-level commands and gain unauthorized system access. CVE-2025-20358 (CVSS 9.4) affects the CCX Editor and stems from missing authentication for critical functions in the protocol between the Cisco Unified CCX Editor and server, allowing attackers to bypass authentication, gain administrative script creation/execution permissions, and execute arbitrary scripts as an internal non-root user. Organizations using Cisco Unified CCX should immediately apply security patches as no workarounds are available.

Original content here.

FreePBX Endpoint Manager Command Injection Vulnerability (CVE-2025-64328)

A post-authentication command injection vulnerability was discovered in FreePBX Endpoint Manager versions 17.0.2.36 and above (before 17.0.3), allowing authenticated attackers to gain remote system access as the asterisk user through the check_ssh_connect() function. Users should immediately upgrade to version 17.0.3 to mitigate this security risk.

Original content here.

Sniffing Location Privacy of Video Conference Users Using Free Audio Channels

Researchers from Southern Methodist University demonstrated a location privacy attack against video conferencing apps like Zoom and Teams. The technique uses “remote acoustic sensing” where attackers inject brief covert sounds and analyze the echoes to identify a user’s physical location (home, office, vehicle, hotel) with 88% accuracy. This works even with cameras off or virtual backgrounds enabled. Two attack types were identified: in-channel echo attacks that bypass echo cancellation, and off-channel echo attacks that exploit notification sounds.

Users remain vulnerable even when unmuting their microphones for short periods. Spooky NSA-level stuff, magic with microphones.

Original content here. | Paper

Firefox WebRTC Use-After-Free Vulnerability (CVE-2025-13020)

A use-after-free vulnerability (CVE-2025-13020) in Firefox’s WebRTC Audio/Video component was reported by Andreas Pehrson. Rated moderate severity with potential for arbitrary code execution. Affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. Bug report is still private.

Original content here.

Jitsi Meet OAuth Authentication Hijacking Vulnerability (CVE-2025-64754)

Jitsi Meet has an OAuth authentication hijacking vulnerability (CVE-2025-64754) affecting Microsoft account logins. The flaw exploits DOM redirect mechanisms on the Microsoft OAuth flow. Affects versions prior to 2.0.10532, fixed in 2.0.10532. No workarounds available.

Rated moderate severity, though if it truly allows intercepting authentication credentials, that seems generous.

Original content here.

PJSIP Opus Codec Buffer Overflow Vulnerability (CVE-2025-65102)

PJSIP has a buffer overflow in its Opus codec implementation (CVE-2025-65102). The issue occurs because “Opus PLC may zero-fill the input frame as long as the decoder ptime, while the input frame length, which is based on stream ptime, may be less than that.” Results in application crashes. Affects PJSIP 2.15.1 and earlier, patched in PJSIP 2.16.

Original content here.

Fantasy Hub: Russian Android RAT Uses WebRTC for Surveillance

Zimperium documented Fantasy Hub, an Android RAT distributed as Malware-as-a-Service through Russian-language channels. The malware uses WebRTC for live audio/video streaming surveillance of compromised devices. It also steals SMS, contacts, and call logs, intercepts notifications, and deploys fake banking overlays. The developer provides documentation, instructional videos, and a Telegram bot for subscription management.

Original content here.

AudioCodes Fax/IVR Appliance: Eight Critical Vulnerabilities Disclosed

Pierre Kim disclosed eight vulnerabilities (CVE-2025-34328 through CVE-2025-34335) affecting all versions of AudioCodes Fax/IVR Appliance. Four are pre-authentication: unauthenticated RCE via ajaxScript.php and ajaxBackupUploadFile.php leading to NT AUTHORITY\SYSTEM shells, plus unauthenticated file upload and file read exposing password hashes. Four more require local access or authentication: insecure service scripts, world-writable webroot, and command injection in TestFax.php and ActivateLicense.php.

The product reached End-of-Service on December 31, 2024. It seems that AudioCodes’ response is along the lines of “Do not use AudioCodes Fax/IVR Appliance” and “Do not expose to network.” No official patches coming.

Original content here. | Advisory

Microsoft Teams Impersonation and Spoofing Vulnerabilities

Check Point Research (Andrey Charikov and Oded Vanunu) disclosed four vulnerabilities in Microsoft Teams. Here’s what their blog post states:

Our research revealed several vulnerabilities within Microsoft Teams that could be exploited to manipulate message content and sender identity, alter notification appearances. Most critically, we discovered that both external guest users and internal malicious actors can effectively transform their identity to appear as trusted personnel, including C-level executives, fundamentally breaking the trust boundaries that organizations rely on for secure communication.

They were able to:

  • Edit messages without trace
  • Manipulate message notifications
  • Alter display names via conversation topics in private chats
  • Forge caller identity in video and audio calls

This last one is the most interesting one for us: they discovered that the display name used in call notifications (and later on during call itself) could be arbitrarily modified through specific manipulations of call initiation requests. This flaw allows an attacker to forge the caller identity, presenting any chosen name to the call recipient.

We often find similar caller ID spoofing vulnerabilities in our work across VoIP and WebRTC platforms.

Original content here. | Microsoft Advisory

Thanks to Vulners and other third parties for providing vulnerability source material.

This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share.

To subscribe: here

Subscribe to Updates

Stay updated with our latest security insights and updates.

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.