CVE-2021-41157
5.3 MEDIUMFreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem...
Published: 2021-10-26 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-287, CWE-306
Affected products
| Vendor | Product |
|---|---|
| freeswitch | freeswitch |
Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. Abuse of this security issue allows attackers to subscribe to user agent event notifications without the need to authenticate. This abuse poses privacy concerns and might lead to social engineering or similar attacks. For example, attackers may be able to monitor the status of target SIP extensions. Although this issue was fixed in version v1.10.6, installations upgraded to the fixed version of FreeSWITCH from an older version, may still be vulnerable if the configuration is not updated accordingly. Software upgrades do not update the configuration by default. SIP SUBSCRIBE messages should be authenticated by default so that FreeSWITCH administrators do not need to explicitly set the `auth-subscriptions` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41157
- [Other]http://seclists.org/fulldisclosure/2021/Oct/41
- [Patch]https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e
- [Other]https://github.com/signalwire/freeswitch/releases/tag/v1.10.6
- [Exploit reference]https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
- [Other]http://seclists.org/fulldisclosure/2021/Oct/41
- [Patch]https://github.com/signalwire/freeswitch/commit/b21dd4e7f3a6f1d5f7be3ea500a319a5bc11db9e
- [Other]https://github.com/signalwire/freeswitch/releases/tag/v1.10.6
- [Exploit reference]https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
Related CVEs
Same vendor
- CVE-2026-49848 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (4.3 MEDIUM)
- CVE-2026-49847 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (7.5 HIGH)
- CVE-2026-49843 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (5.3 MEDIUM)
- CVE-2026-49842 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (7.5 HIGH)
- CVE-2026-49841 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (9.8 CRITICAL)
Same CWE
- CVE-2026-48780 — Forem is open source software for building communities (8.2 HIGH)
- CVE-2026-0647 — An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server
- CVE-2026-48114 — Metacat is data repository software that helps researchers preserve, share, and discover data (9.8 CRITICAL)
- CVE-2018-25437 — WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download... (7.5 HIGH)
- CVE-2026-12183 — Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerabili... (9.8 CRITICAL)