Improper access control in freeswitch - CVE-2021-41158
Published: October 25, 2021 / Updated: May 15, 2026
freeswitch
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the SIP request handling logic when processing crafted SIP authentication challenges. A remote attacker can send a specially crafted SIP challenge with the realm set to that of a configured gateway to disclose sensitive information.
One demonstrated attack path involves initiating a call to a directory number, which in the default configuration may be reachable through the external SIP profile without authentication.