December 2025: Year in review, FreePBX vulns, see you in 2026

Welcome to the December 2025 edition of the RTCSec newsletter! This edition is out a bit early so we can take a well-deserved break over the holidays.

In this edition, we cover:

• The best and worst of 2025 in RTC security: from unfixable hardware disasters to solid standards progress
• SIPGO denial-of-service vulnerability we reported (now fixed)
• More FreePBX vulnerabilities: authentication bypass and SQL injection
• Tin Can VoIP device analysis: security questions parents should ask
• Plus security updates for Fanvil, WebRTC, Firefox, and Mitel

The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:

• Forward it to those who may find this newsletter particularly fruitful.
• Let us know if there are any RTC security news items we should cover.

To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.

Our news

So long and see you in 2026

Thank you for reading RTCSec throughout 2025. Creating this newsletter each month keeps us learning and thinking deeply about what’s happening in VoIP and WebRTC security - and your feedback tells us you find it valuable too.

It’s been a great year for Enable Security, and we’re grateful to our clients for trusting us with their systems. We’ll be back with more in 2026.

Wishing you rest and renewal this holiday season!

Sandro Gauci

Security fix in SIPGO addresses denial-of-service vulnerability reported by Enable Security

SIPGO is a library for building fast SIP services in Go. Version 1.0.0 was released last week, and with it we’re publishing our advisory for a denial-of-service vulnerability we reported earlier this year (fixed in v1.0.0-alpha-1). This library is used by some notable names in AI, including OpenAI for their realtime SIP interface.

We’ll publish a detailed write-up soon; there’s more to the story than the straightforward fix suggests. In the meantime, see our advisory for full technical details.

Thanks to Emir Aganovic, lead developer of SIPGO, for handling our report and fixing it quickly!

How did we contribute to RTC security in 2025?

As we look back at the past 12 months, it’s been quite a year for us at Enable Security. Much of our work remains behind the scenes, bound by confidentiality agreements, but there’s still plenty we can share.

Our work is grounded in security research specific to VoIP and WebRTC: often focusing on protocol-level issues and the security gaps that emerge between protocols. This year, we tackled RTP Bleed and RTP Inject vulnerabilities in the open-source ecosystem, leading to important security fixes in rtpengine, a popular media server used in Kamailio and OpenSIPS deployments and sometimes in WebRTC environments. These vulnerabilities affect more than just rtpengine. We gave a presentation at ClueCon (video) and joined an OpenSIPIt live meeting (stream) to discuss advanced mitigation strategies with open-source developers, including evaluating proposals like using the SSRC Attribute from RFC 5576.

On the standardization front, OWASP ASVS v5 (Application Security Verification Standard) was released, including a chapter we contributed on WebRTC security. This chapter defines security requirements for assessing TURN servers, media servers, and signaling servers. Our presentation from OWASP Global AppSec is also now available (video): “Web Security Experts: Are you overlooking WebRTC vulnerabilities?” (answer: yes 🙂)

RFC 9725, the WHIP protocol specification, was published and incorporated our suggested mitigations against resource exhaustion, flooding attacks, and insecure direct object references (IDOR).

At Kamailio World and OpenSIPS Summit, we presented on SIP server configuration vulnerabilities we frequently encounter and explored approaches for automatically detecting these issues.

Finally, we kept publishing this newsletter every month, which we hope you find as valuable as we do. Thanks for reading, and please share with your friends and colleagues!

The best and worst of 2025 in RTC security

The year 2025 in RTC security saw a split between unfixable hardware disasters and solid progress in open-source security standards.

The worst trends of 2025

Unfixable architectural disasters

Yealink global private key leak:

• Yealink shipped every VoIP phone with a copy of the CA’s private key
• This turned every phone into a CA that could impersonate any Yealink device
• Attackers could potentially access SIP credentials of all users on all telephony servers worldwide
• The flaw is impossible to fix via software update due to the architectural design

AudioCodes EOL vulnerabilities:

• Critical unauthenticated RCE flaws disclosed in AudioCodes Fax/IVR Appliance (EOL product)
• Vendor response: don’t use the device or expose it to the network
• No official patches released

Mass data exposure and remote spying

Verizon CDR leak:

• Verizon Call Filter iOS app exposed call history logs of millions of Americans
• Vulnerable API performed zero access control validation
• Anyone could retrieve call history by inputting a phone number

Cisco unauthenticated packet capture:

• Critical vulnerabilities in widely deployed Cisco VoIP phones
• Unauthenticated remote attackers could download network traffic captures (tcpdump) via built-in API endpoints
• Enabled interception of VoIP conversations and data from computers connected through the phone

Satellite communication leaks:

• GEO satellites leak massive amounts of unencrypted data
• Exposed T-Mobile and AT&T users’ plaintext SMS and voice call contents
• U.S. military SIP traffic leaked ship names

Nation-state intrusions and active exploitation

Ribbon Communications breach:

• Nation-state breach went undetected for nine months (December 2024 to September 2025)
• Ribbon supplies infrastructure to AT&T, Verizon, and the U.S. Department of Defense

FreePBX 0day exploitation:

• Zero-day in FreePBX Endpoint Manager (EPM) module (CVE-2025-57819)
• Actively exploited in the wild
• Led to RCE and backdoor installation

VoIP botnets:

• Mitel SIP phones infected by Aquabotv3 malware exploiting CVE-2024-41710
• Gained root access and executed Mirai malware

Covert surveillance and fraud

“Ghost Calls” C2 evasion:

• Praetorian research showed how to abuse Zoom and Microsoft Teams TURN servers
• Attackers can establish covert, high-bandwidth C2 channels using legitimate TURN protocol
• Traffic evades security controls

Remote acoustic sensing:

• Location privacy attack against Zoom and Teams
• Inject covert sounds and analyze echoes to identify user’s physical location (home, office, vehicle)
• 88% accuracy even with cameras off

Voice-AI callback fraud:

• Voice-AI applications created new attack surface for toll fraud (IRSF/AIT)
• Public online callback forms abused to call premium-rate numbers
• Recommendation: “Treat PSTN like payments”

The best trends of 2025

Standardization and formalized assessment

OWASP ASVS v5 release:

• OWASP Application Security Verification Standard 5.0 published
• Includes dedicated WebRTC security chapter (V17)
• Formalizes security requirements for TURN, Signaling, and Media servers

WHIP standardization:

• WebRTC-HTTP Ingestion Protocol published as RFC 9725
• Built-in protections against resource exhaustion, flooding attacks, and IDOR

SRTP metadata encryption (Cryptex):

• RFC 9335 (Cryptex) support merged into libsrtp
• Encrypts RTP Header Extensions, addressing a major SRTP criticism

RCS end-to-end encryption:

• E2EE officially added to Rich Communication Services standard

Modernization and alternative authentication

Modernized SIP authentication:

• Asterisk added support for RFC 8760
• Replaces outdated MD5 with SHA-256 and SHA-512/256

Bottom line: Modern protocols like WebRTC are getting hardened by standards bodies, but legacy hardware and poor vendor practices keep introducing massive security risks. The volume of high severity vulnerabilities in 2025 shows attackers are succeeding by targeting the weakest link: legacy code, configuration, hardware, or trust bootstrapping.

What’s happening?

Tin Can VoIP: unexamined child communication device security risks

Scott Murray posted on Mastodon about Tin Can, a VoIP-based device disguised as a retro landline telephone and marketed for children. The device lets kids make calls using 5-digit numbers between other Tin Can users for free, or requires a $10/month subscription for PSTN connectivity to US and Canada numbers.

Murray raised several security questions: Is the backend encrypted? Is it peer-to-peer like WebRTC? Can someone intercept children’s calls? What data retention policies are in place?

We ran OSINT on Tin Can’s infrastructure:

• They mention Kamailio, Asterisk, FreeSWITCH in their old job posts
• They use Twilio phone numbers (at least for E911 / PSTN identity)
• Their backend API is on AWS
• A quick Censys search shows their SIP servers run Kamailio 5.8.6 listening on UDP and TLS on AWS

The device may look like an 80s landline phone, but it’s a pretty standard VoIP system with all the associated security considerations. The key questions Murray raised about encryption, data retention, and call interception are valid questions that parents should ask before giving children access to any internet-connected communication device.

More FreePBX vulnerabilities fixed: Auth bypass and SQLi

FreePBX published advisories for a series of high severity vulnerabilities involving authentication bypass and SQL injection, following responsible disclosure by security researchers.

Context on recent disclosures: The Horizon3.ai “Rabbit Hole” research (published December 11, 2025) details the new authentication bypass (CVE-2025-66039) alongside multiple SQL injection and file upload vulnerabilities (CVE-2025-61675, CVE-2025-61678). While detailed in the same report, Sangoma patched those SQLi and file upload issues in October 2025. This note focuses on the advisories published by the vendor in December.

Key vulnerabilities

1. Authentication bypass (CVE-2025-66039)

   • Noah King from Horizon3 discovered an authentication bypass in the endpoint module that allows unauthenticated attackers to bypass login mechanisms if the authentication type is set to webserver (default is usermanager).
   • Sangoma patched this in endpoint versions 16.0.44 and 17.0.23.

2. SQL injection in TTS module (CVE-2025-67736)

   • M. Cory Billington found an authenticated SQL injection vulnerability in the text-to-speech (tts) module.
   • Attackers with admin access can inject arbitrary SQL queries.
   • Fixed in tts versions 16.0.5 and 17.0.5.

3. Local privilege escalation (CVE-2025-67722)

   • ThatTotallyRealMyth discovered an LPE issue in the deprecated amportal startup utility.
   • It allows authenticated local users to escalate privileges.
   • Fixed in framework versions 16.0.45 and 17.0.24.

4. SQL injection in Phone Apps REST API (GHSA-q3h9-fmpr-vpfw)

   • s0nnyWT identified an authenticated SQL injection vulnerability in the restapps module.
   • Fixed in restapps versions 16.0.41 and 17.0.6.

5. Weak default password in Endpoint module (GHSA-426v-c5p7-cp29)

   • A weak default password allows unauthenticated access to the Endpoint Module REST API.
   • Fixed in endpoint versions 16.0.96 and 17.0.10.

Impact: These vulnerabilities affect multiple modules (TTS, Phone Apps, Endpoint Manager) and core components. The authentication bypass is critical but relies on a non-default configuration (webserver auth type).

It’s great to see FreePBX getting some love.

VoIP security talk: Vulnerabilities and hardening strategies

Davide Rasòli presented on VoIP vulnerabilities and hardening strategies at HackInBo Classic Edition Winter 2025. The presentation (in Italian) covers a wide breadth of topics:

• VOIP Security: Vulnerabilities and Hardening
  • The talk details the shift from circuit switching to packet switching for phone calls, voice data transmission, and resulting vulnerabilities.
  • It covers five areas: telephony vs security conflicts, VoIP risks, hardening, carrier trust issues, and caller ID spoofing.
• Historical Context: Telephony and Security
  • Analog telephony relied on electrical circuit connections via copper pairs.
  • Voice travelled as electrical waves, making physical interception (eavesdropping/recording) relatively easy for anyone with physical access.
• VoIP and IP Networks
  • Telephone service now operates as an application on IP data networks (Internet, MPLS, private networks).
  • VoIP uses SIP for signaling and SDP for defining communication channel characteristics.
  • Voice media travels using RTP (Real-time Transport Protocol).
• Key VoIP Vulnerabilities (SIP/RTP)
  • Clients often send basic SIP registration in clear text (UDP) and may lack authentication.
  • Lack of authentication allows attackers to unregister phones and redirect calls.
  • SIP authentication relies on MD5, a weak hashing algorithm vulnerable to brute-force attacks.
  • Provisioning configuration files often contain sensitive info (SIP username/password, admin passwords) and are easily intercepted if sent over insecure channels.
  • Organizations must protect ancillary services like user portals, administrative portals, and voicemail.
  • Inadequate permissions allow fraud, such as unauthorized calls to satellite or high-cost international numbers.
• VoIP Hardening and Mitigation
  • Run SIP signaling over TLS (Transport Layer Security).
  • Secure voice transmission (RTP) using SRTP (Secure Real-time Transport Protocol).
  • SRTP can use SDES for key exchange or DTLS (TLS over UDP) for low latency.
• External Security and Carrier Reliance
  • Security is shared; users control internal networks, while carriers handle external identity protection.
  • Caller ID Spoofing is a major issue, often facilitated by international carriers with lax controls, leading to nuisance calls.
  • Stir/Shaken protocols provide a technical solution by allowing carriers to digitally sign calls.
  • Stir/Shaken uses three attestation levels (A, B, or C) to indicate carrier confidence in the source number.
• Conclusion
  • Organizations must protect their internal networks even as carriers implement wider security protocols.
  • Future telephone networks may place full number protection responsibility on the customer, similar to email servers.

It’s a great introduction for security professionals, especially those that understand Italian! Watch the presentation on Youtube.

Security Updates and Vulnerability News Round-Up

Multiple Critical Vulnerabilities in Fanvil X210 V2 VoIP Phone

Spike Reply Cybersecurity Team disclosed six vulnerabilities affecting Fanvil X210 V2 VoIP Phone firmware version V2.12.20. The most severe findings include a directory traversal vulnerability (CVE-2025-64057) allowing arbitrary file writes, which researchers demonstrated could lead to unauthenticated RCE. Additionally, an authentication bypass (CVE-2025-64055) was discovered because the HTTPD only enforces authentication on /html while leaving /cgi-bin unprotected.

Other findings include unauthenticated command injections (CVE-2025-64052), a buffer overflow (CVE-2025-64053), reflected XSS (CVE-2025-64054), and an arbitrary file write vulnerability (CVE-2025-64056) running as root. Update to firmware version 2.12.22.2.

Original content here.

WebRTC SDP Direction Validation Improvement

An improvement in WebRTC’s SDP direction validation was assigned CVE-2025-13639 and described as an “inappropriate implementation” allowing arbitrary read/write in Google Chrome prior to 143.0.7499.41. Philipp Hancke, who contributed the fix, clarified that the description is incorrect and the change is simply a hardening of SDP direction validation in remote description parsing, not an arbitrary read/write vulnerability.

This hardening likely addresses potential state machine vulnerabilities similar to those identified by Natalie Silvanovich in WebRTC implementations.

Original content here.

Firefox WebRTC Security Updates

Mozilla fixed a use-after-free vulnerability (CVE-2025-14321) in the WebRTC Signaling component, reported by Igor Morgenstern. No further details are currently public.

Original content here.

Mitel Product Security Advisory MISA-2025-0010

Mitel released an advisory for a high severity stored XSS vulnerability in the Ignite Mail component of MiContact Center Business and Mitel CX. The flaw allows unauthenticated attackers to execute arbitrary scripts but requires user interaction. This affects deployments with multimedia licenses using email in Web Ignite, Desktop Ignite, or Contact Center Client. Upgrade to MiContact Center Business 10.2 FP 11 or MCX 2.0, or apply the available hotfixes.

Original content here.

VoIP PBX: Essential Firewall Ports for Secure Remote Phone Access

A Reddit discussion about securing a Grandstream UCM6108 PBX (previously sitting in a DMZ with no restrictions) produced the usual range of recommendations: some suggest site-to-site VPN, others advocate for SIP-TLS and SRTP, while others specify which ports to open (5060/5061 for SIP, 10000-20000 for RTP).

The variety of responses highlights a fundamental challenge: securing VoIP while exposing it to the Internet is harder than other protocols. The real-time requirements mean you can’t easily hide everything behind a VPN without impacting call quality, and the dynamic RTP port ranges make tight firewall rules difficult. VoIP security often ends up being a compromise between accessibility and protection.

Original content here.

Thanks to Vulners and other third parties for providing vulnerability source material.

This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share.

To subscribe: here