Tags › Rtpengine
rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration
Published on Jul 31, 2025 in CVE-2025-53399, rtpengine, owasp, security advisory
- CVSS v4.0
- Exploitability: High
- Complexity: Low
- Vulnerable system: Medium
- Subsequent system: Medium
- Exploitation: High
- Security requirements: High
- Vector: link
- Other references: CVE-2025-53399
- Fixed versions: >= mr13.4.1.1
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2025-01-rtpengine-improper-behavior-bleed-inject/
- Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2025-01-rtpengine-improper-behavior-bleed-inject
- Tested vulnerable versions: mr13.3.1.4 and lower
- Timeline:
- First report: 2025-04-24
- Triaged: 2025-04-30
- Fix provided for testing: 2025-05-05
- Various back and forth and more fixes: 2025-05 / 2025-06
- Vendor applied all fixes satisfactorily to master branch: 2025-06-05
- Enable Security verified and confirmed fix: 2025-06-26
- Vendor release with fix (mr13.4.1.1): 2025-07-03
- Enable Security advisory: 2025-07-31
Description
Media servers often support source address learning to dynamically adapt to network conditions and client behavior. This is especially useful in scenarios involving NAT where the source IP and port of incoming RTP packets may differ from what was initially signaled via SDP over SIP. However, this mechanism can be exploited for two types of attacks if malicious packets are accepted as legitimate:
…
Rtpengine RTP Injection and Media Bleed Vulnerabilities (CVE-2025-53399)
Published on Jul 31, 2025 in voip security, research, rtpengine, denial of service, webrtc security, sip security
We published a critical security advisory for rtpengine affecting versions mr13.3.1.4 and lower, allowing RTP injection and media redirection attacks. These vulnerabilities can be exploited without man-in-the-middle positioning and affect both plaintext RTP and encrypted SRTP sessions. Organizations should upgrade to mr13.4.1.1 and review configuration settings.…
rtpengine: denial of service via DTLS Hello packets during call initiation
Published on Dec 15, 2023 in CVE-2023-51275, rtpengine, denial of service, security advisory
- Fixed versions: mr12.1.1.2, mr12.0.1.3, mr11.5.1.16, mr10.5.6.3, mr10.5.6.2, mr9.5.8.2, mr8.5.12.2
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2023-03-rtpengine-dtls-hello-race/
- Vendor Patch: https://github.com/sipwise/rtpengine/commit/e969a79428ac4a15cdf1c0a1c6f266dbdc7e60b6
- Other references: CVE-2023-51275
- Tested vulnerable versions: mr11.5.1.6
- Timeline:
- Report date: 2023-10-02
- Triaged: 2023-10-02
- Fix provided for testing: 2023-11-16
- Enable Security verified fix: 2023-12-14
- Vendor release with fix: 2023-12-14
- Enable Security advisory: 2023-12-15
TL;DR
When handling DTLS-SRTP for media setup, RTPEngine is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS encrypted calls during the attack.
…