Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
8DescriptionCVE.org
SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network.
AnalysisAI
Cleartext SIP signaling in Verizon's VoLTE/IMS infrastructure allows an on-path attacker positioned on the radio or core network to intercept and tamper with VoIP call signaling because IPsec integrity protection (Security-Client/Security-Server headers and ESP-protected traffic) is not enforced. The flaw, reported by CERT/CC and tracked as EUVD-2026-33945, affects an unspecified Verizon IMS deployment and enables disclosure of call metadata, caller identity spoofing, and signaling manipulation. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.
Technical ContextAI
VoLTE (Voice over LTE) relies on the IMS (IP Multimedia Subsystem) architecture, where SIP messages between the User Equipment (UE) and the P-CSCF (Proxy Call Session Control Function) are required by 3GPP TS 33.203 to be protected by IPsec ESP in transport mode, negotiated via Security-Client and Security-Server SIP headers during registration. In Verizon's affected IMS deployment (CPE cpe:2.3:a:verizon:volte) these protections are absent, so SIP REGISTER, INVITE, and related messages traverse the radio and core network without confidentiality or integrity protection. Although no CWE is assigned, the root cause aligns with CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-300 (Channel Accessible by Non-Endpoint / man-in-the-middle exposure), as referenced in the 3GPP TS 33.203 specification cited in the advisory.
RemediationAI
No vendor-released patch identified at time of analysis; this is a carrier-side configuration and infrastructure issue that subscribers cannot directly remediate, so the primary action is for Verizon to enable 3GPP TS 33.203-compliant IMS access security - negotiating Security-Client/Security-Server headers during SIP REGISTER and enforcing IPsec ESP between the UE and P-CSCF - and customers should monitor the CERT/CC Vulnerability Note at https://www.kb.cert.org/vuls/id/615987 for vendor guidance. Until carrier-side fixes are confirmed, organizations handling sensitive voice traffic on Verizon VoLTE should consider compensating controls such as routing high-sensitivity calls over end-to-end encrypted OTT voice apps (Signal, WhatsApp) which terminate above the SIP layer - trade-off: loses PSTN reachability and number-based identity; disabling VoLTE on managed devices and forcing fallback to legacy CS voice where supported - trade-off: degraded audio quality, no VoLTE-only features, and the legacy radio stack has its own well-known weaknesses; and restricting use of VoLTE on devices that may transit untrusted radio environments (e.g., near suspected IMSI catchers or rogue small cells) - trade-off: operational inconvenience but reduces on-path exposure.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33945
GHSA-8pfq-65f4-r264