MEDIUM 4.3

CVE-2026-49848: FreeSWITCH mod_verto Session State Injection Vulnerability

FreeSWITCH versions prior to 1.11.1 contain a flaw in the Verto module's authentication handler that allows user-supplied session variables to be written into connection state before password validation occurs. Because these writes are append-only and failed authentication attempts don't close the WebSocket connection, variables from a bad login attempt persist and carry over into a subsequent successful login on the same connection. This creates a window for session state manipulation through repeated authentication attempts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-287
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in mod_verto's check_auth userauth branch, where the authentication flow violates the principle of verify-before-trust. The code writes request-supplied userVariables into connection state prior to password comparison. Since the writes are append-only and the connection remains open after authentication failure, an attacker can inject arbitrary userVariables through a failed login, then authenticate successfully on the same WebSocket. The injected variables from the failed attempt remain in the connection state, potentially affecting downstream logic that relies on those variables for authorization or session management decisions.

Business impact

Organizations deploying FreeSWITCH for VoIP, unified communications, or telecom infrastructure are exposed to session hijacking and authorization bypass scenarios. An authenticated attacker (or attacker with network access to Verto) could inject malicious session variables through failed authentication attempts, then authenticate legitimately to gain influence over their session context. This could lead to privilege escalation, unauthorized feature access, or cross-user session contamination if multiple users share connection pooling. The impact is limited by the requirement for authentication and the MEDIUM CVSS score, but the persistence of state across auth boundaries makes this a subtle and difficult-to-detect attack.

Affected systems

FreeSWITCH versions before 1.11.1 are vulnerable. Organizations running the Verto WebSocket module for client connectivity should prioritize inventory and version assessment. Deployment scenarios involving shared or pooled Verto connections, or multi-tenant environments, face elevated risk.

Exploitability

Exploitation requires prior authentication (hence the MEDIUM severity and PR:L requirement in CVSS). An attacker must have valid credentials or access to bypass initial auth. The attack is not particularly complex from a technical standpoint—it relies on protocol behavior rather than memory corruption or complex chaining. The append-only nature of variable writes and lack of connection state cleanup make this reliably reproducible. However, the requirement to have an initial foothold limits real-world attack surface. No known public exploit or active weaponization is documented.

Remediation

Upgrade FreeSWITCH to version 1.11.1 or later. The patch addresses this by ensuring userVariables are validated and isolated before being written to connection state, or by implementing proper state cleanup on authentication failure. Organizations unable to upgrade immediately should consider network segmentation of Verto endpoints, restrict authentication attempts per connection, or implement application-level session validation to detect and reject unexpected userVariable states.

Patch guidance

Verify that your FreeSWITCH deployment is running version 1.11.1 or later. Review the FreeSWITCH project repository or vendor advisory for specific patch details and any breaking changes. Test the update in a staging environment, particularly if you have custom Verto clients or extensions that depend on userVariable handling. Monitor connection logs for any anomalies after patching.

Detection guidance

Search for patterns of repeated failed authentication attempts followed by successful authentication on the same WebSocket connection from a single IP or user. Monitor for unexpected or unauthorized userVariable values in Verto session logs. Implement logging of userVariable state at auth boundaries and compare across auth transitions—if values from one session appear in a subsequent session on the same connection, investigate. Check Verto module debug logs for signs of state persistence across failed auth attempts.

Why prioritize this

While the CVSS is MEDIUM (4.3), this vulnerability merits prioritization because it affects authentication and session integrity, core security primitives. The append-only, persistent nature of the state manipulation makes it difficult to detect at runtime and could enable lateral moves or privilege escalation in multi-user or multi-tenant Verto deployments. The patch is straightforward and low-risk, making remediation fast relative to the underlying exposure.

Risk score, explained

CVSS 4.3 reflects the requirement for prior authentication (PR:L) and the limited scope (impacts integrity of session variables, not confidentiality or availability). The score appropriately captures that this is not a zero-day remote code execution, but rather a session management defect. However, in environments where Verto is exposed to untrusted networks or supports high-privilege user sessions, the real-world risk may exceed the base score. Organizations should also consider whether their threat model includes authenticated insiders or compromised low-privilege accounts.

Frequently asked questions

Can an unauthenticated attacker exploit this?

No. The vulnerability requires prior authentication (PR:L in CVSS). However, if your Verto endpoint allows account creation or uses weak credentials, an attacker could authenticate with a low-privilege account and then inject variables to escalate or move laterally.

What happens if I don't upgrade—what's the real-world risk?

The risk depends on your use case. If Verto sessions are short-lived and users don't reuse connections, risk is lower. If connections are pooled, long-lived, or support high-privilege operations, an authenticated attacker could persist malicious variables to affect downstream authorization logic or contaminate shared session state.

Do I need to restart FreeSWITCH after patching?

Yes, a restart is typically required for the patch to take effect. Verify against the vendor advisory and your FreeSWITCH release notes. Test in staging first, especially if you have active call sessions.

How do I check if I'm affected?

Check your FreeSWITCH version with 'fs_cli -x version' or review your installation directory. If it is older than 1.11.1, you are affected. Additionally, verify that the Verto module (mod_verto) is loaded in your configuration.

This analysis is provided for informational purposes and should not be considered legal or definitive security advice. Always verify CVSS scores, affected versions, and patch availability directly with FreeSWITCH vendor advisories and your organization's vulnerability management process. This vulnerability is not currently listed on the CISA KEV catalog. Testing and deployment of patches should be performed in controlled environments first. SEC.co and its affiliates make no warranty regarding the completeness or accuracy of this content. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).