Skip to main content

RTC security
Newsletter

Curated VoIP and WebRTC security news, research and updates by Enable Security.

Subscribe
a phone receiver being crushed by a hand

    November 2025: VoIP and WebRTC vulnerability roundup

    Published on Nov 28, 2025

    Welcome to the November edition of the RTCSec newsletter. It’s a quieter month, with less VoIP and WebRTC news than usual. In this edition: Security fixes from Cisco, FreePBX, Firefox, Jitsi, and PJSIP Unpatched vulnerabilities in an end-of-life AudioCodes FAX/IVR product Microsoft Teams impersonation and spoofing vulnerabilities Remote acoustic sensing research (the spooky, secret-service kind) And a few more items The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about November 2025: VoIP and WebRTC vulnerability roundup

    October 2025: RTP attacks, Cisco VoIP phones, satellite leaks, and nation-state breaches

    Published on Oct 31, 2025

    Welcome to the October 2025 edition of RTCSec Newsletter. This month brings us deep discussions on RTP security, critical vulnerabilities in widely deployed VoIP phones, massive satellite communication leaks, and a telecom infrastructure breach that went undetected for nine months. In this edition, we cover: Our news: 2026 penetration testing bookings, OpenSIPIt meeting on RTP Bleed and Inject, and our VoIP eavesdropping defense guide Cisco VoIP phone vulnerabilities: Balazs Bucsay’s detailed presentation on critical flaws including unauthenticated remote packet capture Satellite link vulnerabilities: Research exposing massive unencrypted traffic from T-Mobile, AT&T, US military, and more Ribbon Communications breach: Nine-month nation-state intrusion into a major telecom infrastructure provider Blue Angel Software Suite: Active exploitation of hardcoded credentials and command injection affecting VoIP/SIP appliances WebRTC and Matrix RTC: Privacy leaks research on cross-browser IP metadata exposure, plus Matrix security and encryption architecture improvements Kamailio bogus CVEs: Why those configuration file vulnerabilities are nonsense Security updates round-up: Cisco, FreePBX, Ubiquiti, Issabel, and data breach reports The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about October 2025: RTP attacks, Cisco VoIP phones, satellite leaks, and nation-state breaches

    September 2025: more RTP, FreePBX and Voice AI vulnerabilities this time

    Published on Sep 30, 2025

    Welcome to the latest edition of RTCSec Newsletter for September 2025. In this edition, we cover: Our presentations at ClueCon and RTC.ON, clarification about DTLS-SRTP and RTP Bleed FreePBX security fixes galore and technical details Voice-AI and good old toll fraud Round up of RTC security vulnerabilities that were addressed this month The RTCSec newsletter is a free, periodic newsletter bringing you commentary and news about VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.…

    Read more about September 2025: more RTP, FreePBX and Voice AI vulnerabilities this time

    August 2025: WHY 2025, Black Hat, DEF CON, ClueCon and FreePBX 0day ITW!

    Published on Aug 30, 2025

    It has been a very busy month in the world of VoIP and WebRTC security, and we have the latest and greatest newsletter edition so far. Here’s the hard proof: wc -w newsletters/* | sort -nr | head 73257 total 3671 newsletters/2025-08-rtcsec-news.md 3468 newsletters/2023-03-rtcsec-news.md 3464 newsletters/2025-06-rtcsec-news.md ... In this edition, we cover: Newsletter feedback and a tip for procrastinators ClueCon 2025: Media Security Is Hard: The Many Ways RTP & SRTP Still Fail Us WHY 2025 - Die Hardcoded: Unlocking Yealink’s (weakest) secrets FreePBX 0day vulnerability in the EPM module exploited (CVE-2025-57819) Asterisk security updates - CVE-2025-49832 / CVE-2025-1131 / CVE-2025-54995 / CVE-2025-57767 DEF CON 33: Journey to the Center of the PSTN TURN Server Abuse: ‘Ghost Calls’ C2 Evasion Technique August: The Month of Hacker Conferences: DEF CON 33 and WHY 2025 BT Home Hub 2006: DSL and SIP Reverse Engineering Analysis Security Updates and Vulnerability News Round-Up, including updates to the Matrix protocols and WebEx The RTCSec newsletter is a free, periodic newsletter bringing you commentary and news about VoIP and WebRTC security.…

    Read more about August 2025: WHY 2025, Black Hat, DEF CON, ClueCon and FreePBX 0day ITW!

    July 2025: Rtpengine fixes, RTC conferences and showers of vulnerabilities

    Published on Jul 31, 2025

    It’s July - peak summer season - but it won’t stop raining where we’re located! So we’ve prepared some newsletter content for your entertainment. In this edition, we cover: We have three news items from Enable Security: An advisory for rtpengine ClueCon attendance and presentation next week RTC.ON conference, presentation and discount code Reverse Engineering and Cracking a 2006 BT Home Hub for VoIP! Discussion of the Jitsi Meet privacy feature / issue Short news covering Mitel, Cisco, Grandstream and WebRTC vulnerabilities The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about July 2025: Rtpengine fixes, RTC conferences and showers of vulnerabilities

    June 2025: WebRTC security, privacy and Yealink provisioning vulnerabilities

    Published on Jun 30, 2025

    Welcome to the June edition of RTC Sec newsletter, your favorite source of VoIP and WebRTC security commentary. In this edition, we cover: Celebrating the OWASP ASVS v5 release with the WebRTC chapter Yealink YMCS security problems have been published More WebRTC security items, including STUN DDoS, WebRTC’s security/privacy reputation, and Meta abusing WebRTC to bypass privacy controls Numerous vulnerabilities, mostly fixed, in Sangoma, Audiocodes, Qualcomm chipsets, Cisco, Mitel, and others Plug for TADSummit Online and a LinkedIn article about overlooked UC security The RTCSec newsletter is a free, periodic newsletter bringing you commentary and news about VoIP and WebRTC security.…

    Read more about June 2025: WebRTC security, privacy and Yealink provisioning vulnerabilities

    May 2025: VoIP conferences, VoLTE vulnerabilities and so much more

    Published on May 29, 2025

    This month was marked by SIP Server conferences, as I attended both Kamailio World and OpenSIPS Summit. This edition includes a review of the Kamailio World presentations of security-interest, while next month we’ll cover ones from OpenSIPS Summit. I’d also like to welcome all the people who joined this newsletter from Kamailio World and OpenSIPS Summit! Loading the Elevenlabs Text to Speech AudioNative Player... In this packed edition, we cover:…

    Read more about May 2025: VoIP conferences, VoLTE vulnerabilities and so much more

    April 2025: Verizon’s CDR compromise, Cisco VoIP security flaws and phreaking

    Published on Apr 30, 2025

    Welcome to the April edition of the RTCSec Newsletter! Loading the Elevenlabs Text to Speech AudioNative Player... In this edition, we cover: Our upcoming presentations on SIP server configuration security and OWASP ASVS including WebRTC Verizon’s call detail records compromised by a security researcher SIP ALG vulnerabilities and learning about NAT types Cisco VoIP security flaws and cool vulnerability demos Good old phone phreaking from days gone by So much more The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about April 2025: Verizon's CDR compromise, Cisco VoIP security flaws and phreaking

    March 2025: Upcoming and Past VoIP and WebRTC security presentations, FreeSWITCH vulnerabilities - or not

    Published on Mar 31, 2025

    This month, we have a few interesting news items with useful commentary to help you understand the latest VoIP and WebRTC security developments and to provide some food for thought. Loading the Elevenlabs Text to Speech AudioNative Player... In this edition, we cover: Upcoming Kamailio World and OpenSIPS Summit presentations Video of the WebRTC vulnerabilities talk at OWASP Global AppSec A FreeSWITCH Security vulnerability and our comments The latest vulnerabilities, security fixes and security updates in VoIP and WebRTC The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about March 2025: Upcoming and Past VoIP and WebRTC security presentations, FreeSWITCH vulnerabilities - or not

    February 2025: VoIP phones join botnets, and vulnerabilities in Cisco, Twilio, Asterisk, AudioCodes and more

    Published on Feb 28, 2025

    We might have gotten a little carried away this time… but we think this is worth the read if you’re interested in the wild world of VoIP and WebRTC security. Loading the Elevenlabs Text to Speech AudioNative Player... In this edition, we cover: Reddit post about the WebRTC DTLS handshake security Twilio Serverless exposed by default Vulnerability coverage of Asterisk, AudioCodes, Mitel, Cisco phone systems And more security fixes in F5 BIG-IP, OpenH264 codec and WebRTC International IP-Based SIP network security Robocallers vs FCC vs Telnyx summary The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about February 2025: VoIP phones join botnets, and vulnerabilities in Cisco, Twilio, Asterisk, AudioCodes and more

    Subscribe

    Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

    Interested in our services? Let's collaborate.
    Get in touch

    We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.