Security Updates and Vulnerability News Round-Up
Two critical vulnerabilities in Cisco Unified Contact Center Express (UCCX) allow unauthenticated attackers to execute remote code. CVE-2025-20354 (CVSS 9.8) affects the Java RMI process and allows unauthenticated attackers to execute root-level commands and gain unauthorized system access. CVE-2025-20358 (CVSS 9.4) affects the CCX Editor and stems from missing authentication for critical functions in the protocol between the Cisco Unified CCX Editor and server, allowing attackers to bypass authentication, gain administrative script creation/execution permissions, and execute arbitrary scripts as an internal non-root user. Organizations using Cisco Unified CCX should immediately apply security patches as no workarounds are available.
A post-authentication command injection vulnerability was discovered in FreePBX Endpoint Manager versions 17.0.2.36 and above (before 17.0.3), allowing authenticated attackers to gain remote system access as the asterisk user through the check_ssh_connect() function. Users should immediately upgrade to version 17.0.3 to mitigate this security risk.
Researchers from Southern Methodist University demonstrated a location privacy attack against video conferencing apps like Zoom and Teams. The technique uses "remote acoustic sensing" where attackers inject brief covert sounds and analyze the echoes to identify a user's physical location (home, office, vehicle, hotel) with 88% accuracy. This works even with cameras off or virtual backgrounds enabled. Two attack types were identified: in-channel echo attacks that bypass echo cancellation, and off-channel echo attacks that exploit notification sounds.
Users remain vulnerable even when unmuting their microphones for short periods. Spooky NSA-level stuff, magic with microphones.
A use-after-free vulnerability (CVE-2025-13020) in Firefox's WebRTC Audio/Video component was reported by Andreas Pehrson. Rated moderate severity with potential for arbitrary code execution. Affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. Bug report is still private.
Jitsi Meet has an OAuth authentication hijacking vulnerability (CVE-2025-64754) affecting Microsoft account logins. The flaw exploits DOM redirect mechanisms on the Microsoft OAuth flow. Affects versions prior to 2.0.10532, fixed in 2.0.10532. No workarounds available.
Rated moderate severity, though if it truly allows intercepting authentication credentials, that seems generous.
PJSIP has a buffer overflow in its Opus codec implementation (CVE-2025-65102). The issue occurs because "Opus PLC may zero-fill the input frame as long as the decoder ptime, while the input frame length, which is based on stream ptime, may be less than that." Results in application crashes. Affects PJSIP 2.15.1 and earlier, patched in PJSIP 2.16.
Zimperium documented Fantasy Hub, an Android RAT distributed as Malware-as-a-Service through Russian-language channels. The malware uses WebRTC for live audio/video streaming surveillance of compromised devices. It also steals SMS, contacts, and call logs, intercepts notifications, and deploys fake banking overlays. The developer provides documentation, instructional videos, and a Telegram bot for subscription management.
Pierre Kim disclosed eight vulnerabilities (CVE-2025-34328 through CVE-2025-34335) affecting all versions of AudioCodes Fax/IVR Appliance. Four are pre-authentication: unauthenticated RCE via ajaxScript.php and ajaxBackupUploadFile.php leading to NT AUTHORITY\SYSTEM shells, plus unauthenticated file upload and file read exposing password hashes. Four more require local access or authentication: insecure service scripts, world-writable webroot, and command injection in TestFax.php and ActivateLicense.php.
The product reached End-of-Service on December 31, 2024. It seems that AudioCodes' response is along the lines of "Do not use AudioCodes Fax/IVR Appliance" and "Do not expose to network." No official patches coming.
Check Point Research (Andrey Charikov and Oded Vanunu) disclosed four vulnerabilities in Microsoft Teams. Here's what their blog post states:
Our research revealed several vulnerabilities within Microsoft Teams that could be exploited to manipulate message content and sender identity, alter notification appearances. Most critically, we discovered that both external guest users and internal malicious actors can effectively transform their identity to appear as trusted personnel, including C-level executives, fundamentally breaking the trust boundaries that organizations rely on for secure communication.
- Edit messages without trace
- Manipulate message notifications
- Alter display names via conversation topics in private chats
- Forge caller identity in video and audio calls
This last one is the most interesting one for us: they discovered that the display name used in call notifications (and later on during call itself) could be arbitrarily modified through specific manipulations of call initiation requests. This flaw allows an attacker to forge the caller identity, presenting any chosen name to the call recipient.
We often find similar caller ID spoofing vulnerabilities in our work across VoIP and WebRTC platforms.
