Cloud Vulnerability DB
A community-led vulnerabilities database
Introducing Wiz for Exposure Management: Unify, prioritize, and remediate exposures everywhere.
Vulnerability DatabaseCVE-2025-53399
CVE-2025-53399:
Linux Debian vulnerability analysis and mitigation
Overview
CVE-2025-53399 affects Sipwise rtpengine versions before 13.4.1.1, where an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to inject or intercept RTP/SRTP media streams via RTP packets. The vulnerability was discovered in April 2025 and fixed in version 13.4.1.1 released on July 3, 2025. The issue affects all rtpengine deployments except those configured with strict source and learning disabled (NVD, OpenWall).
Technical details
The vulnerability stems from improper validation in rtpengine's endpoint-learning mechanism, which is designed to handle NAT scenarios. The flaw affects multiple learning modes including delayed (default), immediate, and heuristic, with only no-learning mode being secure when combined with strict source flag. The vulnerability received a CVSS v4.0 score of 9.3 (Critical), indicating high exploitability and impact. In SDES-SRTP implementations, rtpengine fails to validate authentication tags properly, allowing both RTP Bleed and RTP Inject attacks. For DTLS-SRTP, the vulnerability allows RTP Bleed but not RTP Inject due to specific logic implementation (OpenWall).
Impact
The vulnerability enables two primary attack vectors: RTP Bleed, allowing attackers to redirect victim's media to attacker-controlled hosts, and RTP Inject, enabling insertion of arbitrary RTP packets into active calls. These attacks can be executed without requiring man-in-the-middle positioning. For plaintext RTP, this affects both media integrity and confidentiality. In SRTP scenarios, it can lead to Denial of Service as RTP packets are misdirected to attackers instead of legitimate recipients (OpenWall).
Mitigation and workarounds
The recommended mitigation is to upgrade to version 13.4.1.1 or later. For SDES-SRTP deployments, it's advised to use both strict source and recrypt flags for complete protection. The heuristic learning mode should be used in conjunction with the strict source flag. The new version limits potential attacks in heuristic mode to the first five packets and introduces a recrypt flag that fully prevents SRTP attacks when both mitigations are enabled. For DTLS-SRTP, the fix ensures SRTP validation occurs before learning mode (OpenWall).
Community reactions
The vulnerability has been classified as Critical with a CVSS score of 9.3, drawing significant attention in the VoIP security community. Enable Security, who discovered the vulnerability, worked closely with Sipwise for several months to develop and verify the fixes (SecurityOnline).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management