cvedb.io
CVE-2021-41157
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2021-10-26T14:15:07.807 · Last modified 2026-06-17T04:07:59.380

Summary

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Sof

Affected products

freeswitch — freeswitch

Does this affect you?

Add your gear to cvedb and we'll alert you only when freeswitch ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.