MEDIUM 5.3

CVE-2026-49843: FreeSWITCH mod_verto Pre-Auth Session Hijacking Vulnerability

FreeSWITCH versions before 1.11.1 contain a session hijacking vulnerability in the mod_verto JSON-RPC handler. An unauthenticated attacker with knowledge of a legitimate user's session ID can forcibly disconnect that user by claiming the same session identifier, causing the legitimate connection to be dropped and any active calls to be terminated. The vulnerability stems from the application binding incoming connections to user-supplied session IDs before verifying authentication credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-287
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot — sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The mod_verto module's JSON-RPC handler performs session binding based on a client-supplied sessid parameter on the initial frame before authentication checks occur. When a connection is bound to a session ID, it is inserted into FreeSWITCH's global session hash table. If an attacker connects with a session ID already in use by a legitimate client, a hash collision occurs, causing the existing connection to be evicted. The evicted connection receives a verto.punt message, loses all associated calls, and has its socket closed. This occurs without any authentication validation, allowing any network-adjacent attacker who can guess or discover valid session UUIDs to perform denial-of-service attacks against active users.

Business impact

Organizations relying on FreeSWITCH for VoIP or unified communications infrastructure face service disruption risk. An attacker exploiting this flaw can disconnect users mid-call, interrupt call center operations, or destabilize communication workflows. The attack requires only network access and knowledge of a session ID—no credentials—making it accessible to a broad threat landscape. The impact is availability-focused but can create operational chaos in time-sensitive environments.

Affected systems

FreeSWITCH versions prior to 1.11.1 are affected. The vulnerability is specific to deployments using the mod_verto module for JSON-RPC communication. Organizations running version 1.11.1 or later are not affected. The vulnerability applies to any network-exposed FreeSWITCH instance where mod_verto is loaded and accessible.

Exploitability

Exploitability is moderate to high. The attack requires network access to the FreeSWITCH service and knowledge of a valid session UUID. No authentication, privilege escalation, or complex technical steps are required—an attacker simply needs to connect with a known session ID to trigger the eviction. Session IDs may be discoverable through network observation, application enumeration, or social engineering. However, the attack is not wormable and does not provide code execution or data exfiltration.

Remediation

Upgrade FreeSWITCH to version 1.11.1 or later, which implements authentication gating before session binding occurs. The patched version validates credentials before the connection is inserted into the session hash, preventing unauthenticated session ID hijacking. Additionally, network-level access controls limiting who can connect to the JSON-RPC interface are recommended as a defense-in-depth measure.

Patch guidance

Apply FreeSWITCH version 1.11.1 or later to all affected instances. Verify the applied version using the FreeSWITCH command-line interface or administrative API. Test the upgrade in a staging environment first to ensure compatibility with existing configurations and call flows. Review mod_verto logging post-upgrade to confirm normal session binding behavior. Organizations unable to patch immediately should implement network segmentation to restrict access to the FreeSWITCH JSON-RPC interface to trusted administrative networks only.

Detection guidance

Monitor FreeSWITCH logs for abnormal session binding or verto.punt messages sent to legitimately authenticated sessions. Implement alerting on frequent session disconnections correlated with new session ID claims. Network-level detection should monitor for repeated connection attempts with varying session IDs targeting the same port. Behavioral analysis of session lifecycle events can identify anomalous patterns such as the same session ID being claimed multiple times in rapid succession by different source IPs. Enable verbose mod_verto logging if available to capture sessid binding attempts.

Why prioritize this

Although the CVSS score is 5.3 (Medium), this vulnerability warrants priority attention because it enables simple, unauthenticated denial-of-service attacks against business-critical communications infrastructure. The attack surface is broad—any exposed FreeSWITCH instance—and the barrier to exploitation is low. Organizations with high call volume or time-sensitive operations (emergency services, customer support, trading floors) should treat this as a priority patch due to operational risk, despite the medium severity rating.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects an availability-only impact (no confidentiality or integrity compromise) that can be triggered remotely without authentication or user interaction. The vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L captures network-accessible exploitability with low complexity. The score does not heavily weight the operational criticality of VoIP systems or the simplicity of the attack, making supplementary risk assessment advisable for organizations where telecommunications are mission-critical.

Frequently asked questions

Can an attacker use this vulnerability to eavesdrop on calls or modify call content?

No. The vulnerability is limited to session eviction and denial of service. It does not provide access to call audio, signaling data, or the ability to redirect calls. An attacker cannot decrypt encrypted RTP streams, modify in-progress calls, or steal credentials through this flaw.

Do I need to patch if my FreeSWITCH instance is only accessible on a private network?

While network isolation reduces risk significantly, patching remains strongly recommended. Internal threats, compromised systems on the same network, or misconfigurations that expose the service can still enable exploitation. Patching eliminates the vulnerability entirely and should be treated as the primary remediation regardless of network topology.

Does this vulnerability affect other FreeSWITCH modules or non-Verto RPC interfaces?

The vulnerability is specific to mod_verto's JSON-RPC implementation. Other modules and interfaces such as mod_xml_rpc are not affected by this flaw. However, review your deployment to confirm mod_verto is in use before determining patch urgency.

What happens to active calls when a session is evicted by this attack?

All calls associated with the evicted session are immediately terminated. The user receives a disconnect notification (verto.punt), the socket is closed, and call audio ceases. The impact is a complete disruption of service for the targeted user with no recovery mechanism until they reconnect.

This analysis is based on official vulnerability disclosures and CVSS ratings as of the publication date. Organizations should verify patch availability and compatibility against their specific FreeSWITCH versions and configurations. Security assessments should incorporate organizational risk tolerance, regulatory requirements, and the criticality of affected systems. This document does not constitute professional security advice; engage qualified security personnel for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).