Freeswitch
Monthly
mod_verto session state pollution in FreeSWITCH allows an authenticated WebSocket user to inject arbitrary userVariables into connection state before password verification completes, with those values persisting into any subsequent successful login on the same connection. All versions prior to 1.11.1 are affected via the check_auth userauth branch, which performs append-only state writes before the password comparison gate, and crucially does not close the connection on a failed compare. No public exploit has been identified and the vulnerability is not in CISA KEV, but the vendor explicitly labeled this release a critical security fix and strongly urged immediate upgrade.
Denial of service in FreeSWITCH prior to version 1.11.1 allows remote unauthenticated attackers to crash the entire telephony process by sending a single WebSocket frame carrying a deeply nested JSON document. The recursive parsing exhausts the worker thread's stack and triggers SIGSEGV via the kernel stack guard page, terminating all active calls and sessions on the host. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the trivial network-reachable trigger and availability-only impact make it a credible service-disruption risk for exposed VoIP infrastructure.
Session eviction via unauthenticated sessid collision in FreeSWITCH mod_verto (all versions prior to 1.11.1) allows a remote unauthenticated attacker who knows a target client's session UUID to forcibly disconnect that client - terminating active calls and closing their WebSocket connection - by racing a crafted JSON-RPC first-frame before the authentication gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms full network reachability with no credentials required; the sole prerequisite is knowledge of the victim's session UUID. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Unauthenticated outbound bandwidth amplification in FreeSWITCH versions prior to 1.11.1 allows remote attackers to coerce the server into emitting roughly 20 GB of traffic per short request via the mod_verto WebSocket #SPU speed-test command. The pre-auth code path parses the requested payload size with atoi() and only rejects non-positive values, letting a peer ask for up to INT_MAX bytes and triggering a size*10 download. No public exploit is identified at time of analysis, but the high-severity CVSS (7.5, A:H) and trivial trigger make this a credible DDoS-as-a-service primitive.
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt up to ~8 MiB of heap memory by sending a crafted HTTP POST request with an oversized Content-Length header. The flaw is triggered before HTTP basic-auth validation runs, enabling pre-authentication exploitation against any exposed mod_verto HTTP endpoint, with CVSS 9.8 reflecting potential for remote code execution; no public exploit identified at time of analysis.
Heap corruption in FreeSWITCH libesl prior to version 1.11.1 allows a malicious or man-in-the-middle Event Socket Library (ESL) peer to crash or corrupt the memory of any process linked against libesl by sending a frame containing a negative Content-Length header. The flaw is pre-authentication and reachable before the client completes authentication to the peer, and no public exploit identified at time of analysis despite a CVSS of 9.1.
Out-of-bounds memory access in FreeSWITCH versions prior to 1.11.0 allows remote unauthenticated attackers to crash the telephony stack by sending a malformed STUN packet whose declared attribute length is smaller than the structure the parser casts it to. No public exploit has been identified at time of analysis, but the network-reachable nature of STUN on media-handling deployments makes this a denial-of-service risk for any exposed FreeSWITCH instance handling WebRTC or NAT-traversal traffic.
Denial-of-service exposure in FreeSWITCH versions prior to 1.11.0 stems from a vendored, unpatched copy of libexpat XML tokenization code embedded in the bundled xmlrpc-c library. The function PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c was cloned from an outdated upstream libexpat release and never received the corresponding security fix, leaving FreeSWITCH's XML parsing surface vulnerable. An authenticated low-privilege attacker over the network can exploit this to achieve high availability impact against the telecom stack; no public exploit or CISA KEV listing has been identified at time of analysis.
Denial of service in FreeSWITCH versions prior to 1.11.0 allows unauthenticated remote attackers to exhaust CPU and memory by sending a single SIP PUBLISH request whose PIDF body contains a malicious DTD with nested entity declarations. The bundled XML parser expands these entities before any digest authentication check, making this a pre-auth resource exhaustion vector (CWE-776, classic 'billion laughs'). No public exploit identified at time of analysis, but the CVSS 7.5 availability-only impact reflects a high-confidence DoS condition against any exposed FreeSWITCH instance.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.
mod_verto session state pollution in FreeSWITCH allows an authenticated WebSocket user to inject arbitrary userVariables into connection state before password verification completes, with those values persisting into any subsequent successful login on the same connection. All versions prior to 1.11.1 are affected via the check_auth userauth branch, which performs append-only state writes before the password comparison gate, and crucially does not close the connection on a failed compare. No public exploit has been identified and the vulnerability is not in CISA KEV, but the vendor explicitly labeled this release a critical security fix and strongly urged immediate upgrade.
Denial of service in FreeSWITCH prior to version 1.11.1 allows remote unauthenticated attackers to crash the entire telephony process by sending a single WebSocket frame carrying a deeply nested JSON document. The recursive parsing exhausts the worker thread's stack and triggers SIGSEGV via the kernel stack guard page, terminating all active calls and sessions on the host. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the trivial network-reachable trigger and availability-only impact make it a credible service-disruption risk for exposed VoIP infrastructure.
Session eviction via unauthenticated sessid collision in FreeSWITCH mod_verto (all versions prior to 1.11.1) allows a remote unauthenticated attacker who knows a target client's session UUID to forcibly disconnect that client - terminating active calls and closing their WebSocket connection - by racing a crafted JSON-RPC first-frame before the authentication gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms full network reachability with no credentials required; the sole prerequisite is knowledge of the victim's session UUID. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Unauthenticated outbound bandwidth amplification in FreeSWITCH versions prior to 1.11.1 allows remote attackers to coerce the server into emitting roughly 20 GB of traffic per short request via the mod_verto WebSocket #SPU speed-test command. The pre-auth code path parses the requested payload size with atoi() and only rejects non-positive values, letting a peer ask for up to INT_MAX bytes and triggering a size*10 download. No public exploit is identified at time of analysis, but the high-severity CVSS (7.5, A:H) and trivial trigger make this a credible DDoS-as-a-service primitive.
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt up to ~8 MiB of heap memory by sending a crafted HTTP POST request with an oversized Content-Length header. The flaw is triggered before HTTP basic-auth validation runs, enabling pre-authentication exploitation against any exposed mod_verto HTTP endpoint, with CVSS 9.8 reflecting potential for remote code execution; no public exploit identified at time of analysis.
Heap corruption in FreeSWITCH libesl prior to version 1.11.1 allows a malicious or man-in-the-middle Event Socket Library (ESL) peer to crash or corrupt the memory of any process linked against libesl by sending a frame containing a negative Content-Length header. The flaw is pre-authentication and reachable before the client completes authentication to the peer, and no public exploit identified at time of analysis despite a CVSS of 9.1.
Out-of-bounds memory access in FreeSWITCH versions prior to 1.11.0 allows remote unauthenticated attackers to crash the telephony stack by sending a malformed STUN packet whose declared attribute length is smaller than the structure the parser casts it to. No public exploit has been identified at time of analysis, but the network-reachable nature of STUN on media-handling deployments makes this a denial-of-service risk for any exposed FreeSWITCH instance handling WebRTC or NAT-traversal traffic.
Denial-of-service exposure in FreeSWITCH versions prior to 1.11.0 stems from a vendored, unpatched copy of libexpat XML tokenization code embedded in the bundled xmlrpc-c library. The function PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c was cloned from an outdated upstream libexpat release and never received the corresponding security fix, leaving FreeSWITCH's XML parsing surface vulnerable. An authenticated low-privilege attacker over the network can exploit this to achieve high availability impact against the telecom stack; no public exploit or CISA KEV listing has been identified at time of analysis.
Denial of service in FreeSWITCH versions prior to 1.11.0 allows unauthenticated remote attackers to exhaust CPU and memory by sending a single SIP PUBLISH request whose PIDF body contains a malicious DTD with nested entity declarations. The bundled XML parser expands these entities before any digest authentication check, making this a pre-auth resource exhaustion vector (CWE-776, classic 'billion laughs'). No public exploit identified at time of analysis, but the CVSS 7.5 availability-only impact reflects a high-confidence DoS condition against any exposed FreeSWITCH instance.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.