FreeSWITCH, Pre-authentication Session Eviction, CVE-2026-49843 (Medium) -DC-Jun2026-364

By /

Listen to this Post

Intro

CVE-2026-49843 is a vulnerability in FreeSWITCH’s `mod_verto` module. FreeSWITCH is a software-defined telecom stack. The `mod_verto` module provides a WebSocket interface for JSON-RPC signaling. Prior to version 1.11.1, the JSON-RPC handler would bind an incoming connection to a client-supplied session ID (sessid) on the first frame, before any authentication checks.
This binding inserts the connection into a global session hash table. If the provided `sessid` already exists in the table, the handler doesn’t reject it. Instead, it performs a key collision, which causes the previous occupant of that session slot to be dropped. The victim client is sent a `verto.punt` message, which detaches any active calls and forcibly closes its WebSocket.
An unauthenticated attacker with knowledge of a target’s active session UUID can simply connect to the WebSocket listener, send a single JSON-RPC frame containing that UUID, and instantly evict the legitimate client. The attacker does not need to authenticate or even complete the handshake. The attacker’s connection will occupy the session slot but cannot invoke authenticated methods without valid credentials.
This issue is not a credential bypass or a session takeover. It is a targeted denial-of-service that severs a specific client’s connection and drops its calls. The attack requires network reach to the verto WebSocket listener (default ports: 8081 for plaintext, 8082 for TLS) and prior knowledge of a valid session UUID. Since UUIDs generated by stock verto clients are 128-bit random values, blind enumeration is infeasible; practical attacks rely on UUIDs leaked via side channels such as server logs or application events.
The vulnerability is fixed in FreeSWITCH version 1.11.1, where the sessid-to-connection binding is moved past the authentication gate. In the patched version, an unauthenticated frame fails the `check_auth` routine and returns before the binding occurs.

DailyCVE Form

Platform: FreeSWITCH
Version: <1.11.1
Vulnerability: Pre-Auth Session Eviction
Severity: Medium (5.3 CVSS)
date: 2026-06-09

Prediction: Already Patched (2026-06-03)

What Undercode Say

Check FreeSWITCH version
freeswitch -version
Test if vulnerable by connecting via WebSocket and sending a known session ID
(Replace <target_IP> and <known_sessid>)
websocat ws://<target_IP>:8081 - --jsonrpc \
--text '{"jsonrpc":"2.0","method":"verto.attach","params":{"sessid":"<known_sessid>"}}'
Monitor logs for verto.punt messages indicating an eviction
tail -f /var/log/freeswitch/freeswitch.log | grep -i "verto.punt"
Patch verification (after upgrading to 1.11.1)
Ensure unauthenticated frames are rejected before binding:
websocat ws://<target_IP>:8081 - --jsonrpc \
--text '{"jsonrpc":"2.0","method":"verto.attach","params":{"sessid":"<known_sessid>"}}'
Expected result: Error due to check_auth failure, no verto.punt sent.

Exploit

  1. Obtain a target’s active session UUID via a side channel (e.g., server logs, application-layer events).
  2. Establish a WebSocket connection to the vulnerable FreeSWITCH `mod_verto` listener (TCP 8081 or 8082).
  3. Send a JSON-RPC frame containing the stolen UUID as the `sessid` parameter before any authentication.
  4. The `mod_verto` handler binds the attacker’s connection to the UUID, collides with the existing session, and drops the victim.
  5. The victim receives a `verto.punt` message, its calls are detached, and its WebSocket is closed.

Protection

  • Immediate: Restrict network access to the verto WebSocket listener using a firewall or bind it to a trusted internal interface.
  • Recommended: Upgrade to FreeSWITCH version 1.11.1 or later.
  • If `mod_verto` is not used: Disable the module entirely.
  • Logging: Monitor for unexpected `verto.punt` events or abrupt session terminations.

Impact

  • Service Disruption: Legitimate clients are forcibly disconnected, and ongoing calls are dropped.
  • No Authentication Required: An attacker with only a known session UUID can trigger the eviction.
  • Availability: The attack results in a targeted denial-of-service (DoS) against specific sessions.
  • No Data Breach: The vulnerability does not allow credential bypass or session takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top