HIGH 7.5

CVE-2026-49842: FreeSWITCH Unauthenticated Bandwidth Amplification Vulnerability

FreeSWITCH, an open-source telecom platform, contains a flaw in its WebSocket handling that allows unauthenticated attackers to trigger massive outbound data transfers. An attacker can send a specially crafted speed-test protocol message that causes the server to send back approximately 20 GB of data per request, effectively amplifying a small request into a large bandwidth-consuming response. This vulnerability exists before patching and requires no authentication or user interaction—any network-connected FreeSWITCH instance is at risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in mod_verto's WebSocket frame processing loop, which parses speed-test protocol messages (#SPU, #SPB, #SPE) before performing any authentication checks. The #SPU message includes a declared payload size that is parsed using atoi(), which accepts any positive integer value up to INT_MAX. The server then allocates and transmits approximately size * 10 bytes in response during the download phase. Because there is no reasonable upper bound enforced on the declared size, an unauthenticated attacker can request up to INT_MAX bytes, resulting in transmission of roughly 20 GB per request. This creates a potent bandwidth amplification vector suitable for denial-of-service or resource exhaustion attacks.

Business impact

Organizations running FreeSWITCH as a voice or telecom service platform face acute availability risk. Each malicious request can consume gigabytes of outbound bandwidth, quickly saturating network links and rendering the service unavailable to legitimate users. For cloud-hosted deployments, excessive data transfer may also trigger unexpected egress charges. The attack requires no credentials and can originate from any network-accessible endpoint, making it trivial to exploit at scale. Service degradation or outages could disrupt mission-critical voice services, VoIP operations, or unified communications deployments.

Affected systems

FreeSWITCH versions prior to 1.11.1 are vulnerable. The flaw affects any deployment where mod_verto (the WebSocket module) is enabled and the instance is accessible over the network. This includes on-premises PBX systems, cloud-hosted voice platforms, and any telecom infrastructure built on FreeSWITCH. The vulnerability is independent of operating system or hardware, since FreeSWITCH is designed to run on commodity platforms.

Exploitability

Exploitability is very high. The attack requires no authentication, no user interaction, and minimal complexity—an attacker simply sends a crafted WebSocket message with a large declared payload size. The vulnerability is trivial to trigger remotely over the network from any unauthenticated position. No special tools or deep technical knowledge are required; a basic understanding of the protocol and network access suffice. The barrier to exploitation is essentially zero, making this a high-confidence target for opportunistic attackers or DDoS botnets.

Remediation

Upgrade FreeSWITCH to version 1.11.1 or later, which patches the vulnerability by properly validating payload sizes before processing speed-test protocol messages and enforcing authentication checks before accepting WebSocket frames. Organizations unable to patch immediately should consider network-level mitigations such as rate-limiting WebSocket connections, restricting network access to trusted peers only, or temporarily disabling mod_verto if the speed-test feature is not in use. Egress bandwidth monitoring should be enabled to detect anomalous outbound traffic patterns.

Patch guidance

Apply FreeSWITCH version 1.11.1 or later according to your deployment model. For package-managed installations, update via your distribution's repository. For source builds, obtain the patched release from the official FreeSWITCH repository. Restart the FreeSWITCH service after patching to ensure the updated module is loaded. Verify in logs that mod_verto has reloaded successfully. Test WebSocket connectivity with legitimate clients post-patch to confirm service continuity. No configuration changes are required; the patch is a drop-in replacement that hardens the existing protocol handling.

Detection guidance

Monitor for multiple or sustained WebSocket connections originating from unfamiliar external IPs, especially those that generate unusually large outbound data transfers immediately after connection. Look for #SPU protocol messages with extremely large declared size values (approaching or exceeding typical RAM or filesystem limits). Track outbound bandwidth spikes correlated with WebSocket activity on the FreeSWITCH ports (default 5066 for mod_verto). Review FreeSWITCH debug logs for speed-test protocol messages originating from unauthenticated peers. Network-level detection should flag any single connection responsible for gigabytes of egress in a short timeframe.

Why prioritize this

This vulnerability scores CVSS 7.5 (HIGH) and merits immediate prioritization. The combination of zero-authentication barrier, trivial exploitability, remote network-accessible attack surface, and severe bandwidth amplification impact makes it an attractive target for DDoS actors and opportunistic attackers. Unlike vulnerabilities requiring complex exploitation chains, this flaw can be weaponized instantly. Any publicly exposed FreeSWITCH instance is effectively a ready-made amplifier for bandwidth attacks. Organizations should treat patching as urgent, not deferred.

Risk score, explained

The CVSS 7.5 rating reflects the availability impact (denial of service via resource exhaustion) combined with low attack complexity and no authentication requirement. The score appropriately captures the high practical risk: network-adjacent attackers can trivially cause service disruption. The absence of confidentiality or integrity impact prevents a critical rating, but the ease and speed of exploitation, combined with the severity of outbound bandwidth amplification, justifies a HIGH classification. Organizations relying on FreeSWITCH for production voice services should treat this as urgent regardless of score semantics.

Frequently asked questions

Is my FreeSWITCH instance vulnerable if mod_verto is not in use?

If mod_verto is completely disabled and not loaded, the vulnerability cannot be exploited. However, if the module is present on disk or auto-loaded by default, verify your configuration explicitly. The safest approach is to upgrade to 1.11.1, which hardens the protocol handling universally.

Can rate-limiting or firewall rules fully mitigate this without patching?

Network-level mitigations such as connection rate-limiting, egress bandwidth quotas, or geo-blocking can reduce attack surface and slow exploitation, but they do not fix the underlying vulnerability. An attacker who bypasses rate-limits or originates from an approved IP range can still trigger data transfer amplification. Patching remains the authoritative remediation.

What does the speed-test protocol (#SPU/#SPB/#SPE) do, and why is it unauthenticated?

The speed-test protocol allows clients to measure bandwidth characteristics of the connection. The flaw is that this feature was implemented before authentication gates, implying it was intended for pre-authentication diagnostics. However, this design choice creates a critical amplification vector. Version 1.11.1 enforces authentication checks prior to any protocol parsing, closing the gap.

If I see large outbound transfers, how do I know if I'm being attacked versus legitimate use?

Legitimate speed-test usage is typically initiated by authorized administrators for diagnostics and occurs infrequently. Attacks manifest as multiple concurrent or rapid-fire requests from unknown external IPs, often with extremely large declared sizes. Review your access logs and WebSocket session metadata; if you did not initiate speed-test requests, treat anomalous transfers as suspicious.

This analysis is provided for informational and defensive purposes only. Vulnerability details and patch availability are based on official vendor disclosures as of the publication date. Organizations must verify patch applicability and compatibility within their specific deployment environment before applying updates. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information. Consult official FreeSWITCH documentation and security advisories for authoritative guidance. Unauthorized access to computer systems is illegal; this information is intended solely for authorized security personnel managing systems they own or are responsible for. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).